HIGH 8.5

CVE-2026-45549: Roxy-WI Privilege Escalation Allows Any Authenticated User to Disrupt Infrastructure Services

Roxy-WI, a web management tool for load balancers and web servers, contains a privilege escalation vulnerability in versions 8.2.6.4 and earlier. Any user logged into the system—even those with minimal "guest" privileges—can remotely start, stop, or restart the monitoring agent service on any server managed by Roxy-WI. Because the underlying systemd commands execute with root privileges, an attacker can disrupt critical infrastructure services or cause denial of service across your entire load-balanced environment. Authentication is required, but the lack of role or permission checks makes this a significant lateral movement and sabotage risk.

Source data · NVD / CISA · public domain

CVSS
3.1 · 8.5 HIGH · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
Weaknesses (CWE)
CWE-862, CWE-863
Affected products
0 configuration(s)
Published / Modified
2026-06-10 / 2026-06-17

NVD description (verbatim)

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwt_required() only — no role check, no group ownership check on the server_ip form field. Any authenticated user, including role 4 (guest), can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server they can name. Roxy-WI executes the systemd action over its own SSH credentials (passwordless sudo), so the action runs as root on the target. At time of publication, there are no publicly available patches.

2 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

The agent_action endpoint in app/routes/smon/agent_routes.py (lines 166–179) is protected only by JWT authentication via the @jwt_required() decorator. It lacks both role-based access control (RBAC) and server group ownership validation. The vulnerable endpoint accepts a server_ip form parameter and executes systemd service control commands (start, stop, restart) on the roxy-wi-smon-agent unit. Because Roxy-WI invokes these commands over SSH with passwordless sudo configured for its service account, the systemd actions run with root privileges on the target server. An authenticated user with any role, including guest (role 4), can invoke this action against any reachable server in the managed infrastructure by simply naming its IP address.

Business impact

Organizations relying on Roxy-WI to manage production load balancers and web servers face two immediate risks: (1) availability disruption—an insider or compromised low-privilege account can remotely disable monitoring and management agents on critical infrastructure, creating a denial-of-service condition; (2) loss of observability—stopping the monitoring agent blinds your infrastructure telemetry at a critical moment, potentially masking secondary attacks. In environments where Roxy-WI manages Keepalived HA clusters or load balancing, stopping the agent can cause failover events or service interruptions. Compliance frameworks (SOC 2, ISO 27001, PCI-DSS) typically expect role-based access controls on privileged operations; this finding may indicate control gaps requiring remediation.

Affected systems

All Roxy-WI installations running version 8.2.6.4 or earlier are affected. Any Roxy-WI user account—regardless of assigned role—can exploit this vulnerability if they have network access to the Roxy-WI web interface. The vulnerability does not require special permissions, admin privileges, or valid credentials on the managed infrastructure itself; authentication to Roxy-WI is the only requirement. All managed servers registered in Roxy-WI (HAProxy, Nginx, Apache, Keepalived) and their agents are at risk if the underlying SSH passwordless sudo configuration is in place.

Exploitability

Exploitability is straightforward and requires minimal technical sophistication. An attacker with valid Roxy-WI credentials—including a low-privilege guest account—can issue HTTP POST requests to the /agent/action/<action> endpoint, specifying any managed server IP and systemd action (start, stop, restart). No privilege escalation, chaining, or special conditions are needed; the vulnerability is directly exploitable with a single authenticated request. The attack is difficult to attribute if audit logging at the Roxy-WI level is incomplete, and it leaves minimal forensic evidence on the managed servers themselves if logging is not centralized. Automated scanning and password spraying against Roxy-WI instances could discover and exploit this at scale.

Remediation

Until a vendor patch is available, implement the following controls: (1) restrict network access to the Roxy-WI web interface using network segmentation, IP whitelisting, or VPN-only access; (2) audit all Roxy-WI user accounts and remove or disable unnecessary guest and low-privilege accounts; (3) implement application-level or API gateway-level access controls to restrict who can invoke /agent/action endpoints, by role or group; (4) review and tighten SSH passwordless sudo configuration on managed servers to require approval or multi-factor verification for agent restarts; (5) enable centralized audit logging and alerting on systemd service control events. Monitor vendor advisories closely for a patched version, and plan to upgrade immediately once available.

Patch guidance

As of the publication date (June 2026), no official vendor patch is available. Monitor the Roxy-WI project repository and vendor security advisories regularly. When a patched version is released, verify the release notes confirm that the agent_action endpoint now enforces role-based access control and server group ownership validation before applying any systemd commands. Test the patch in a non-production environment first, paying particular attention to whether guest users and lower-privilege roles retain access only to servers they should manage. The fix should include code review of all @jwt_required() decorators throughout the application to identify similar missing authorization checks.

Detection guidance

Search application logs and Roxy-WI audit trails for POST requests to /agent/action/* from low-privilege accounts (role 4, guests). Look for repeated calls targeting multiple distinct server IPs, which may indicate reconnaissance or mass exploitation. Monitor SSH session logs on managed servers for roxy-wi user invocations of systemctl or systemd-run commands, particularly for the roxy-wi-smon-agent unit. Check for unexpected systemd service state changes (stop, restart) during maintenance windows or on servers not undergoing planned changes. Enable comprehensive audit logging for all authenticated actions in Roxy-WI; if not already in place, this should be an immediate priority.

Why prioritize this

This vulnerability scores 8.5 CVSS (HIGH) and poses a material risk to infrastructure availability and observability. It requires only low-privilege authentication, affects all versions in the 8.2.6.4 lineage and earlier, and allows unauthenticated impact on core services. While the CVSS does not reach CRITICAL because it does not enable remote code execution or confidentiality loss, the ability for any authenticated user to disrupt load balancing and monitoring makes it a priority for immediate access control mitigation and vendor communication.

Risk score, explained

The CVSS 3.1 score of 8.5 reflects: (1) network-based attack vector with no special physical or user interaction required; (2) low attack complexity—the endpoint is directly callable; (3) low privilege requirement—guest users (role 4) can exploit it; (4) scope change—impact extends beyond the Roxy-WI application to managed infrastructure services; (5) high availability impact (A:H)—stopping the monitoring agent or service units causes denial of service; (6) low integrity impact (I:L)—no direct data modification, but service control is a form of indirect integrity loss; (7) no confidentiality impact. The score does not reach CRITICAL because it does not enable code execution or information disclosure; however, the scope change and high availability impact elevate it above typical MEDIUM-severity authorization issues.

Frequently asked questions

Do we need to be exploited to be at risk, or is this a configuration issue?

This is a code defect in Roxy-WI itself, not a configuration error. The vulnerability exists regardless of how SSH is configured, though the impact is amplified if passwordless sudo is enabled (which is common in Roxy-WI deployments). You are at risk if you are running Roxy-WI 8.2.6.4 or earlier and have any users or service accounts with access to the web interface.

Can guest-level users really cause a denial of service on production servers?

Yes. A guest account (role 4) can invoke the /agent/action endpoint against any server IP they specify. If the agent is a critical systemd unit, stopping it disables monitoring and management capabilities on that server. Combined with knowledge of server IPs (often discoverable via port scans or organizational documentation), an attacker can systematically disable observability across your infrastructure.

What should I do right now, before a patch is available?

Immediately audit Roxy-WI user accounts and remove or disable any guest or unnecessary low-privilege accounts. Restrict network access to the Roxy-WI web interface to authorized personnel only—use IP whitelisting, VPN, or network segmentation. If possible, implement an API gateway or WAF rule that blocks /agent/action/* requests from non-admin users. Enable detailed audit logging of all HTTP requests to Roxy-WI, focusing on the /agent/action endpoint. Subscribe to Roxy-WI security advisories so you can patch as soon as a fix is available.

Will this appear in public exploit databases or KEV catalogs?

At publication, this vulnerability is not listed on the CISA Known Exploited Vulnerabilities (KEV) catalog and no public exploit code is available. However, the ease of exploitation and the fact that no patch exists yet make it an attractive target for security researchers and threat actors. You should assume that exploits will emerge once a patch is available or if the vulnerability is widely disclosed.

This analysis is based on published vulnerability data as of June 2026. SEC.co makes no warranties regarding the accuracy or completeness of remediation guidance; organizations should verify all recommendations against the Roxy-WI vendor advisory and their specific infrastructure configuration. No public patch is available at the time of publication; patch guidance assumes standard secure development practices and should be validated against actual vendor releases. This explainer does not constitute legal, compliance, or operational advice. Organizations should consult with their security teams and risk management functions before taking any action. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).