HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45549Published Modified CNA GitHub_M

CVE-2026-45549: Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or restart smon-agent on any host

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwt_required() only — no role check, no group ownership check on the server_ip form field. Any authenticated user, including role 4 (guest), can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server they can name. Roxy-WI executes the systemd action over its own SSH credentials (passwordless sudo), so the action runs as root on the target. At time of publication, there are no publicly available patches.

Metrics

CVSS v3.1
8.5
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

An authorization bypass in Roxy-WI (versions 8.2.6.4 and prior) allows any authenticated user, including the lowest-privilege guest role, to send POST requests to the /smon/agent/action/<action> endpoint and trigger start, stop, or restart of the roxy-wi-smon-agent systemd unit on any managed server. The endpoint enforces only a valid JWT token and no role or group ownership check, so an attacker with any account can reach it over the network without elevated credentials. Successful exploitation lets the attacker stop or restart the monitoring agent on arbitrary servers, disrupting availability, and because Roxy-WI executes the action via passwordless sudo SSH, the systemd command runs as root on the target host. No upstream fix has been published; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection of CVE-2026-45549 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package Roxy-WI, in both registry scans and CI pipeline checks.

Available
Triage

Triage is available with the full CVSS v3.1 score of 8.5 (HIGH) applied to every match, weighted against each environment's compliance policy to determine urgency and blast-radius context. Findings are routed to the appropriate team inbox within each customer organization based on image ownership and policy configuration.

Available
Patch

Because no upstream fix version has been published for CVE-2026-45549, HarborGuard re-evaluates the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream fix is released. In the meantime, the advisory remains open and visible in each affected environment's finding queue so teams can apply compensating controls.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Roxy-WI web interface over the network; the vulnerable endpoint is exposed via HTTP and is reachable from any network-adjacent client that can connect to the application.

  • AuthenticationRequired

    A valid JWT session token is required, but any low-privilege account including a guest (role 4) account is sufficient; no elevated or administrative credentials are needed.

  • Victim interactionNot required

    No victim interaction is needed; the attacker sends the POST request directly and the action executes without any user involvement on the target side.

  • Attack complexityDetail

    Attack complexity is low; the exploit is a straightforward unauthenticated-role POST request with no race conditions, memory layout dependencies, or environmental preconditions beyond holding a valid session token.

Blast Radius

  • Stops or restarts the roxy-wi-smon-agent monitoring service on any server the attacker names, removing availability of the monitoring agent on those hosts.
  • Because Roxy-WI issues the systemd command over its own passwordless sudo SSH credentials, the start/stop/restart action executes as root on the target server.
  • Repeated or coordinated stop actions across multiple servers can disrupt monitoring coverage organization-wide, masking other ongoing attacks or outages.
  • Availability of affected services tracked by the monitoring agent is degraded or silenced, potentially causing missed alerting on production infrastructure.

How HarborGuard Handles This

Available on HarborGuard: detection of CVE-2026-45549 is active for all images packaging Roxy-WI at or below version 8.2.6.4. Because no upstream patch exists at this time, HarborGuard re-checks the advisory on every ingest cycle and will surface a patched-image rebuild automatically once an upstream fix is published. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention at that point. While no patch is available, recommended compensating controls include applying network-policy rules to restrict access to the Roxy-WI interface to known trusted source IPs, enforcing a minimum user-role policy to avoid issuing guest accounts on production Roxy-WI instances, and reviewing SSH credential scope to limit the blast radius of any successful exploitation.

See how HarborGuard automates this
Affected packages
  • roxy-wi / roxy-wi
    <= 8.2.6.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:N/I:L/A:H
References