PatchSiren cyber security CVE debrief

CVE-2026-45561 roxy-wi CVE debrief

A vulnerability was discovered in Roxy-WI, a web interface for managing Haproxy, Nginx, Apache, and Keepalived servers. Specifically, versions 8.2.6.4 and prior are affected. The issue lies in the /smon/agent/{version,uptime,status,checks}/<server_ip> family of routes, where the URL path component is directly used in requests without proper validation. This allows an attacker to send requests to arbitrary IP addresses and ports, potentially bypassing security mechanisms. The path component is only constrained by Flask's default URL converter, which does not adequately restrict the values that can be used. At the time of publication, there are no publicly available patches for this vulnerability.

Vendor: roxy-wi
Product: Unknown
CVSS: MEDIUM 6.5
CISA KEV: Not listed in stored evidence
Original CVE published: 2026-06-10
Original CVE updated: 2026-06-10
Advisory published: 2026-06-10
Advisory updated: 2026-06-10

Who should care

Administrators and users of Roxy-WI, especially those using versions 8.2.6.4 and prior, should be aware of this vulnerability and take necessary precautions.

Technical summary

The vulnerability is caused by the lack of proper validation of the URL path component in the /smon/agent/{version,uptime,status,checks}/<server_ip> routes. This allows an attacker to send requests to arbitrary IP addresses and ports.

Defensive priority

MEDIUM

Recommended defensive actions

Update to a patched version of Roxy-WI as soon as available.
Restrict access to the /smon/agent/{version,uptime,status,checks}/<server_ip> routes to trusted IP addresses only.
Monitor for suspicious activity on the Roxy-WI interface.

Evidence notes

CVE-2026-45561 has a CVSS score of 6.5 and a severity of MEDIUM. The vulnerability was published on 2026-06-10T15:16:37.023Z and last modified on 2026-06-10T19:37:41.437Z.

Official resources

CVE-2026-45561 was published on 2026-06-10T15:16:37.023Z and last modified on 2026-06-10T19:37:41.437Z.