PatchSiren cyber security CVE debrief
CVE-2026-45552 roxy-wi CVE debrief
CVE-2026-45552 is a critical vulnerability in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. The vulnerability has a CVSS score of 9.9 and a severity of CRITICAL. It was published on 2026-06-10T15:16:36.303Z and modified on 2026-06-10T19:37:41.437Z. The vulnerability is caused by missing decorators in the install blueprint, which omit both role and group checks. This allows any logged-in user, including the default guest role 4, to install/reconfigure exporters, WAF, and GeoIP databases on every server in the Roxy-WI database, regardless of tenant ownership. The Ansible playbooks run with the per-server SSH credential stored in Roxy-WI, which the credentials' rightful owner (a different tenant) has provisioned with sudo rights for the management workflow.
- Vendor
- roxy-wi
- Product
- Unknown
- CVSS
- CRITICAL 9.9
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-10
- Original CVE updated
- 2026-06-10
- Advisory published
- 2026-06-10
- Advisory updated
- 2026-06-10
Who should care
Administrators and users of Roxy-WI are advised to take immediate action to mitigate this vulnerability.
Technical summary
The vulnerability is caused by missing decorators in the install blueprint, specifically in the app/routes/install/routes.py file. The individual endpoints install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, and get_task_status are not wrapped in page_for_admin and do not call roxywi_common.is_user_has_access_to_its_group(server_ip) or check_is_server_in_group(server_ip). Only the GET index page (install_monitoring) gates on roxywi_auth.page_for_admin(level=2).
Defensive priority
High
Recommended defensive actions
- Apply patches or updates as soon as they become available.
- Restrict access to the Roxy-WI interface to only authorized users and groups.
- Monitor Roxy-WI logs for suspicious activity.
Evidence notes
The vulnerability is confirmed by the CVE record and the NVD detail page. The source item URL provides additional information about the vulnerability.
Official resources
-
CVE-2026-45552 CVE record
CVE.org
-
CVE-2026-45552 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
CVE-2026-45552 was published on 2026-06-10T15:16:36.303Z and modified on 2026-06-10T19:37:41.437Z.