CVE-2026-45563: Roxy-WI Audit Trail Disclosure – Unauthorized Access to User History
Roxy-WI, a popular web management interface for load balancers and web servers, contains a flaw that allows any logged-in user to view detailed audit trails of other users' administrative actions. Even a guest-level user in one department can see which servers another user has accessed, what configuration changes they deployed, and what services they restarted. The vulnerability affects Roxy-WI versions 8.2.6.4 and earlier. While this doesn't grant direct control over infrastructure, it exposes sensitive operational history that should remain confidential.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
- Weaknesses (CWE)
- CWE-639, CWE-863
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user — even a guest in an unrelated group — can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability exists in the GET /history/<service>/<server_ip> endpoint. When the service parameter is set to 'user', Roxy-WI incorrectly interprets the server_ip path parameter as a user ID and returns that user's complete action audit log without performing any authorization check. The application relies solely on the fact that the user is authenticated, not on whether that user has permission to access a specific user's history. An attacker with any valid login—including low-privilege guest accounts—can enumerate other user IDs and retrieve their audit trails by manipulating the endpoint parameter. The issue stems from insufficient access control (CWE-863) combined with improper authorization resource mapping (CWE-639).
Business impact
For organizations using Roxy-WI to manage critical load balancing and web infrastructure, this vulnerability creates an insider threat amplifier. A disgruntled or compromised low-privilege account can conduct detailed reconnaissance of administrative activity—identifying who manages which systems, discovering patterns in deployment schedules, and documenting the full scope of what individual admins can access. This reconnaissance can inform lateral movement, privilege escalation, or social engineering attacks. Compliance frameworks (PCI-DSS, SOC 2, HIPAA) that require audit trail confidentiality may be violated. The exposure also undermines accountability by allowing unauthorized visibility into who performed what actions and when.
Affected systems
Roxy-WI version 8.2.6.4 and all prior versions are vulnerable. Roxy-WI is used to centrally manage configurations and operations for HAProxy, Nginx, Apache, and Keepalived servers, so the scope of impact depends on an organization's deployment footprint. Any organization relying on Roxy-WI for multi-server load balancing or web server orchestration is affected if they have not yet upgraded. The vendor has not released patches as of the publication date.
Exploitability
Exploitation is straightforward. An attacker needs only a valid Roxy-WI login credential—which may be obtained through credential compromise, default accounts, or legitimate but low-privilege guest access. No special tools or network positioning are required; the attack is a simple HTTP GET request from an authenticated session. The CVSS 3.1 score of 4.3 (MEDIUM) reflects low attack complexity and no user interaction required, but limited scope (confidentiality only, no integrity or availability impact). However, the ease of exploitation and the informational sensitivity of audit trails make this a practical concern even at MEDIUM severity.
Remediation
At publication, no official patches are available from the Roxy-WI vendor. Organizations should immediately review their access controls and audit logging for evidence of unauthorized history queries. Contact your Roxy-WI vendor to request patching timeline and interim workarounds. In the interim, consider network-layer access controls to restrict who can reach the Roxy-WI management interface, and monitor for suspicious /history endpoint access patterns. Reduce the number of users with Roxy-WI access to the minimum necessary. Verify the vendor's advisory and patch availability before deploying any update.
Patch guidance
Monitor the Roxy-WI project repository and vendor advisories for patch releases. When patches become available, verify the version number and release notes carefully—particularly confirm that the /history endpoint now enforces proper authorization checks. Test patches in a non-production environment before rollout. Because no patch is currently available, document your Roxy-WI version and prioritize upgrade planning once a vendor release is announced. Subscribe to the vendor's security notification channels to receive immediate notification of available fixes.
Detection guidance
In Roxy-WI logs or your WAF/reverse proxy in front of it, search for GET requests to /history/user/* endpoints, particularly those originating from unexpected user sessions or IP addresses. Look for repeated or sequential user ID enumeration attempts (e.g., /history/user/1, /history/user/2, etc.). Compare the user making the request to the user ID being queried—legitimate use should typically involve users querying their own history. Elevated audit trail queries by guest or low-privilege accounts are a strong indicator of abuse. Enable detailed request logging if it is not already active.
Why prioritize this
Although the CVSS score is MEDIUM (4.3), this vulnerability merits prompt attention because audit trail confidentiality is a foundational security control. Unauthorized visibility into administrative actions can enable social engineering, reconnaissance for lateral movement, and compliance violations. The ease of exploitation—requiring only an authenticated session—makes it a low-barrier attack for insiders or accounts compromised by phishing. Organizations managing sensitive infrastructure (e-commerce, banking, healthcare) should treat this as a near-term priority until patches are available and deployed.
Risk score, explained
CVSS 3.1 score of 4.3 reflects: Attack Vector Network (AV:N), Attack Complexity Low (AC:L), Privileges Required for Login (PR:L), User Interaction None (UI:N), Scope Unchanged (S:U), and Confidentiality Impact Low (C:L) with no Integrity or Availability impact (I:N, A:N). The MEDIUM rating acknowledges that exploitation is simple and requires only authentication, but impact is limited to disclosure of audit history. The practical risk is amplified by the sensitive nature of the disclosed information and its utility in planning further attacks, though the CVSS vector itself does not account for those downstream risks.
Frequently asked questions
Can an attacker use this to gain control of my infrastructure?
No. This vulnerability exposes audit trail history only; it does not grant the attacker permission to modify configurations, restart services, or manage servers directly. However, the exposed history (which admins touched which servers, when, and what they changed) can be used to plan follow-up attacks, such as privilege escalation or lateral movement.
Do I need to rotate all user credentials if we have been running Roxy-WI 8.2.6.4?
Not necessarily, unless you have evidence of unauthorized access to user history in your logs. However, review audit logs for suspicious /history/user/* requests. If your Roxy-WI instance is internet-facing or has been compromised, credential rotation is prudent. At minimum, audit and remove unnecessary user accounts and enforce stronger password policies.
What should I do while waiting for an official patch?
Restrict network access to your Roxy-WI interface (firewall rules, VPN requirement, IP whitelisting), reduce the number of active user accounts to the essential minimum, and enable detailed logging of all /history endpoint requests. Monitor those logs for enumeration attempts. Document your Roxy-WI version and subscribe to vendor security notifications so you can patch immediately when a fix is released.
Is Roxy-WI on any government or vendor patch deadline list?
No. At publication, this vulnerability is not on the CISA KEV (Known Exploited Vulnerabilities) catalog, meaning there is no active evidence of weaponized exploitation in the wild. However, absence from KEV does not mean the risk is low—it reflects that public exploit code has not been widely deployed, not that the flaw is trivial. Treat this as a credible internal threat until patched.
This analysis is based on publicly available information as of the publication date (2026-06-10). No CVSS score, patch status, or vendor details should be considered canonical without verification against the official vendor advisory and security bulletins. Organizations should verify the exact version of Roxy-WI they operate and confirm patch availability before deployment. This information is provided for informational and defensive purposes only; no exploit code or weaponization guidance is included. SEC.co makes no warranty regarding the completeness or accuracy of this analysis and recommends consulting with your security team and the vendor directly for environment-specific guidance. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-42999MEDIUMOpenStack Keystone RBAC Bypass via JSON Request Body Injection
- CVE-2026-10038MEDIUMCharitable WordPress Plugin IDOR Arbitrary Attachment Deletion Vulnerability
- CVE-2026-10154MEDIUMDolibarr ERP CRM Authorization Bypass in Messaging Module
- CVE-2026-10211MEDIUMAstrBot 4.23.6 Path Normalization Authorization Bypass
- CVE-2026-10212MEDIUMAstrBot 4.24.2 Authorization Bypass via Session ID Manipulation
- CVE-2026-10597MEDIUMOMICARD EDM Unauthenticated Email Disclosure Vulnerability
- CVE-2026-10616MEDIUMAuthorization Bypass in nextlevelbuilder GoClaw Task Completion
- CVE-2026-10815MEDIUMAuthorization Bypass in Hostel Management System PHP