CVE-2026-45567: Roxy-WI Authentication Bypass in HAProxy/Nginx Management Interface
Roxy-WI, a popular web management interface for load balancers and web servers (HAProxy, Nginx, Apache, and Keepalived), contains an authentication bypass flaw in version 8.2.6.4 and earlier. An attacker can reach the unauthenticated /api/gpt endpoint by crafting a URL containing the 'api' substring, bypassing login requirements. This allows unauthorized access to administrative functions without valid credentials.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.3 HIGH · CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
- Weaknesses (CWE)
- CWE-287, CWE-306, CWE-697
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publication, there are no publicly available patches.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-45567 exploits improper access control in Roxy-WI's authentication middleware. The vulnerability stems from a URL parsing logic flaw where the presence of 'api' in the request path triggers a bypass of credential validation for the /api/gpt endpoint. The issue affects versions 8.2.6.4 and below. The attack surface is network-accessible, requires no user interaction, and carries no privilege prerequisites—an unauthenticated remote attacker can directly invoke the vulnerable endpoint.
Business impact
Organizations using Roxy-WI to manage their load-balancing and web server infrastructure face direct compromise of administrative access. An attacker gaining unauthorized access to the management interface can reconfigure HAProxy, Nginx, Apache, or Keepalived settings, redirect traffic, inject malicious content, disrupt availability, or gather sensitive infrastructure data. The scope extends across the entire managed infrastructure, potentially affecting all downstream services dependent on these servers.
Affected systems
Roxy-WI version 8.2.6.4 and all prior releases are vulnerable. The web interface itself runs on the administrator's network, typically accessible from trusted networks or VPNs, but the authentication bypass means that network boundary alone does not provide protection. Any system with Roxy-WI deployed to manage HAProxy, Nginx, Apache, or Keepalived instances is at risk.
Exploitability
Exploitability is straightforward. The vulnerability requires only network access to the Roxy-WI web interface port and knowledge of the /api/gpt endpoint. No authentication credentials, user interaction, or complex exploitation technique is needed. An attacker can issue a simple HTTP request to the affected endpoint and retrieve or manipulate configuration data. The low attack complexity and absence of barriers make this high-risk from an exploitation standpoint.
Remediation
At publication, no official security patches are available from the Roxy-WI developers. Organizations must implement interim controls: restrict network access to the Roxy-WI management interface using firewall rules or IP allowlisting, isolate it to a dedicated administrative network segment, disable or rename the /api/gpt endpoint if not in active use, and monitor for suspicious API calls. Upgrade to a patched version immediately when released by checking the vendor's security advisories.
Patch guidance
No patches were available at time of vulnerability publication (2026-06-10). Monitor Roxy-WI's official release notes and security advisories for a patched version. When a fix becomes available, verify the version number against the vendor advisory to confirm it addresses CVE-2026-45567. Plan a maintenance window to deploy the patch, as it will likely require a restart of the management interface. Test in a non-production environment first.
Detection guidance
Hunt for HTTP requests to /api/gpt or similar /api/* endpoints that originate from unexpected sources or lack proper authentication headers. Log and alert on any successful responses (HTTP 200) from the /api/gpt endpoint without preceding successful login or session establishment. Review Roxy-WI access logs for patterns of unauthenticated API calls. Consider deploying a Web Application Firewall (WAF) rule to block requests to /api/gpt unless they include valid session tokens or originate from whitelisted IPs.
Why prioritize this
This vulnerability warrants urgent prioritization. It enables complete bypass of authentication to a critical infrastructure management tool with a CVSS score of 8.3 (High). The attack requires no user interaction or special privileges, affects all deployed versions up to 8.2.6.4, and can be exploited remotely over the network with minimal effort. Exposure of the Roxy-WI interface directly jeopardizes the security posture of all managed load-balancers and web servers. The absence of publicly available patches at publication further elevates the risk, as only defensive measures are immediately available.
Risk score, explained
CVSS 3.1 score of 8.3 reflects: Network-accessible attack vector (AV:N), low attack complexity (AC:L), no privilege requirement (PR:N), no user interaction needed (UI:N), changed scope (S:C) affecting other systems beyond the vulnerable component, and confidentiality/integrity/availability impacts (C:L/I:L/A:L). The High severity rating is justified given the centrality of Roxy-WI in infrastructure management and the trivial exploitation path.
Frequently asked questions
Can this vulnerability be exploited from outside our network if Roxy-WI is behind a firewall?
Yes, if the Roxy-WI port is reachable from your network perimeter or from any compromised internal host. The authentication bypass requires only network access to the service—it does not depend on the attacker being on the same subnet. Firewall rules that restrict inbound access to trusted administrative IPs are essential for defense-in-depth.
Does upgrading to a newer Roxy-WI version immediately protect us?
Only if that version includes a fix for CVE-2026-45567. At publication, no patches were publicly available. Always verify against the vendor's security advisory that the version you're upgrading to explicitly addresses this CVE before deploying in production.
What is the 'api' substring exploitation method, and how can we tell if we've been compromised?
The vulnerability allows an attacker to bypass authentication by including 'api' in the request path to reach the unauthenticated /api/gpt endpoint. Review your Roxy-WI logs for GET or POST requests to /api/gpt or similar endpoints from sources that did not first authenticate. Unexpected configuration changes to your HAProxy, Nginx, Apache, or Keepalived instances also indicate potential compromise.
Are there workarounds other than network isolation?
Network isolation is the strongest interim control. Additionally, monitor the /api/gpt endpoint closely, disable it if not in active use, and consider running a WAF in front of Roxy-WI to enforce authentication. However, these are temporary measures—patching is the definitive solution once available.
This analysis is based on the CVE-2026-45567 entry and published vulnerability data as of 2026-06-17. No patches were confirmed available at publication. Organizations should verify all patch and version information directly with the Roxy-WI vendor before deploying mitigations. SEC.co does not provide tailored risk assessments for individual infrastructure configurations; consult your security team or a qualified third party for organization-specific guidance. Exploitation in production environments may have legal implications; verify compliance requirements before conducting testing. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-10243HIGHSmart Parking System 1.0 Authentication Bypass – Remote Admin Access
- CVE-2026-10281HIGHEnderfga claw-orchestrator Authentication Bypass – Patch Available
- CVE-2026-10617HIGHGoClaw Webhook Authentication Bypass – Remote Exploitation
- CVE-2026-46827HIGHOracle E-Business Suite Payroll Remote Compromise – 8.8 CVSS
- CVE-2026-10283MEDIUMBottelet DaybydayCRM Authentication Bypass in Settings Handler
- CVE-2023-54350HIGHWordPress Augmented-Reality Plugin Remote Code Execution
- CVE-2026-10157HIGHOpen5GS NGAP Authentication Bypass Vulnerability – 5G Core Network Risk
- CVE-2026-10167HIGHAuthentication Bypass in BrinaryBrains School Management System