HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45550Published Modified CNA GitHub_M

CVE-2026-45550: Roxy-WI: IDOR on PUT /smon/check — any user can rewrite any tenant's monitoring URL/IP/body

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which validates that the caller has some group, not that the target check_id belongs to it. The downstream SQL update functions update_smon, update_smonHttp, update_smonTcp, update_smonPing, update_smonDns (app/modules/db/smon.py:515-562) all execute WHERE smon_id = ? with no user_group filter. The DELETE path is correctly filtered (app/modules/db/smon.py:319-327 does WHERE id = ? AND user_group = ?), demonstrating that the maintainers know the right pattern but did not apply it on UPDATE. Therefore any authenticated user can iterate over smon_id values and silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. At time of publication, there are no publicly available patches.

Metrics

CVSS v3.1
9.1
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

This is an Insecure Direct Object Reference (IDOR) vulnerability in Roxy-WI, a web management interface for HAProxy, Nginx, Apache, and Keepalived. The PUT /smon/check endpoint accepts a monitoring check ID without verifying that the requesting user belongs to the tenant that owns that check, meaning any authenticated user can overwrite monitoring configuration belonging to other tenants by simply iterating over integer check IDs. Successful exploitation lets an attacker silently corrupt HTTP, TCP, Ping, and DNS monitoring checks across any tenant in the same Roxy-WI deployment. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection for CVE-2026-45550 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream advisory feeds, covering both upstream Roxy-WI images and any custom-built images that package the affected roxy-wi package at version 8.2.6.4 or earlier.

Available
Triage

HarborGuard scores this finding at CVSS 9.1 Critical and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are delivered to the team inbox configured for each customer organization so the right engineers see the alert without manual filtering.

Available
Patch

Because no fix version has been published upstream, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment the upstream maintainers ship a corrected release. Customers with auto-remediation enabled will receive a rebuilt image, a regression-test run, and a pull request opened against affected workloads as soon as a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Roxy-WI web interface over the network; the AV:N vector token confirms this is remotely exploitable without physical or local access.

  • AuthenticationRequired

    A valid account with any group membership is sufficient; the PR:L token confirms that low-privilege credentials, not administrator access, are all that is needed.

  • Victim interactionNot required

    No action from another user or tenant is needed; the attacker sends the crafted PUT request directly and the overwrite takes effect immediately.

  • Attack complexityDetail

    Exploitation is straightforward and condition-free; the AC:L token indicates no race conditions, special memory layout, or environmental prerequisites are involved beyond knowing or guessing integer smon_id values.

Blast Radius

  • An attacker rewrites the target URL, IP address, or request body of any tenant's HTTP, TCP, Ping, or DNS monitoring check, causing those checks to silently monitor an attacker-controlled or incorrect endpoint.
  • Falsified monitoring checks mask real service outages for victim tenants, delaying incident detection and response.
  • Redirecting checks to attacker-controlled endpoints leaks behavioral metadata such as check frequency, source IP ranges of the monitoring agent, and expected response patterns (limited confidentiality impact per C:L).
  • Persistent corruption of monitoring configuration degrades the availability and reliability of the Roxy-WI monitoring subsystem for affected tenants (A:L per CVSS).

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-45550 at time of publication, the platform monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically once the Roxy-WI maintainers release a corrected version. For customers with auto-remediation enabled, that rebuild will trigger a regression-test run and a pull request against affected workloads without manual intervention. In the interim, compensating controls worth evaluating include network-policy rules that restrict access to the Roxy-WI interface to known operator IP ranges, placement of the management interface behind a VPN or bastion that enforces stronger identity controls, and review of existing smon check configurations for unexpected modifications. Where compliance policy permits, teams can also consider temporarily disabling the PUT /smon/check endpoint at the reverse-proxy layer until a fix is available.

See how HarborGuard automates this
Affected packages
  • roxy-wi / roxy-wi
    <= 8.2.6.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:L/I:H/A:L
References