HarborGuardharborguardDatabase
Back to search
CRITICALCVE-2026-45552Published Modified CNA GitHub_M

CVE-2026-45552: Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on every registered server

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before_request → @jwt_required() (app/routes/install/routes.py:36-39). The individual endpoints install_exporter, install_waf, install_geoip, check_geoip, get_exporter_version, and get_task_status are not wrapped in page_for_admin and do not call roxywi_common.is_user_has_access_to_its_group(server_ip) or check_is_server_in_group(server_ip). Only the GET index page (install_monitoring) gates on roxywi_auth.page_for_admin(level=2). Because the missing decorators omit both role and group checks, any logged-in user — including the default guest role 4 — can install/reconfigure exporters, WAF, and GeoIP databases on every server in the Roxy-WI database, regardless of tenant ownership. The Ansible playbooks run with the per-server SSH credential stored in Roxy-WI, which the credentials' rightful owner (a different tenant) has provisioned with sudo rights for the management workflow. At time of publication, there are no publicly available patches.

Metrics

CVSS v3.1
9.9
Severity
CRITICAL
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A cross-tenant authorization bypass in Roxy-WI, the web management interface for HAProxy, Nginx, Apache, and Keepalived, allows any authenticated user (including guest-role accounts) to invoke install and configuration endpoints against servers they have no business accessing. The vulnerability is reachable over the network with only a low-privilege login and requires no victim interaction. Successful exploitation gives an attacker the ability to run Ansible playbooks and SSH commands using credentials provisioned by other tenants, resulting in full remote code execution, data disclosure, and service disruption across all servers registered in the Roxy-WI database. No upstream patch is available at this time; HarborGuard tracks the advisory for patch availability.

HarborGuard Coverage

Detection

Detection for CVE-2026-45552 is available across every HarborGuard environment; the CVE is matched against customer images within minutes of ingestion from upstream advisory feeds, covering both base images and custom-built images that include the roxy-wi package at version 8.2.6.4 or earlier.

Available
Triage

HarborGuard is capable of scoring this CVE at its published CVSS v3.1 severity of 9.9 (Critical) and can weight that score against each environment's compliance policy to route alerts to the appropriate team inbox within a customer organization.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-evaluates this advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression test run, and PR against affected workloads will be triggered automatically once a fix version is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The vulnerable endpoints are exposed over the network (AV:N); an attacker must be able to reach the Roxy-WI web interface over HTTP/HTTPS.

  • AuthenticationRequired

    A valid login is required (PR:L), but any low-privilege account including the default guest role (role level 4) is sufficient to reach the unguarded endpoints.

  • Victim interactionNot required

    No victim interaction is needed (UI:N); the attacker sends requests directly to the install blueprint endpoints without any user having to click or approve anything.

  • Attack complexityDetail

    Attack complexity is low (AC:L); the authorization bypass is unconditional and requires no race condition, memory layout knowledge, or other environmental prerequisite.

Blast Radius

  • Attacker executes arbitrary Ansible playbooks and SSH commands on every server registered in the Roxy-WI database, using SSH credentials provisioned by other tenants with sudo rights.
  • Attacker installs or reconfigures exporters, WAF modules, and GeoIP databases on servers belonging to other tenants, modifying persistent service configuration without authorization.
  • Attacker reads server credentials and configuration data stored in the Roxy-WI database for all tenants, disclosing secrets provisioned by unrelated organizations.
  • Attacker crashes or destabilizes HAProxy, Nginx, Apache, or Keepalived services on affected servers by pushing malformed configurations through the exposed install endpoints.

How HarborGuard Handles This

Available on HarborGuard: because no upstream patch exists for CVE-2026-45552 at this time, HarborGuard continuously re-checks the advisory feed on every ingest cycle and will surface a patched-image rebuild the moment a fix version is published. For customers with auto-remediation enabled, that rebuild will trigger immediately along with a regression-test run and a PR opened against affected workloads. While no patch is available, compensating controls worth considering include applying a network policy that restricts access to the Roxy-WI management interface to specific trusted source CIDRs, adding an egress filter that prevents the Roxy-WI container from initiating outbound SSH connections to production infrastructure, and auditing all guest-role accounts to revoke or restrict logins where the Roxy-WI install blueprint is reachable. HarborGuard will continue tracking this advisory and will automatically promote it to a patchable state without requiring any manual re-scan configuration.

See how HarborGuard automates this
Affected packages
  • roxy-wi / roxy-wi
    <= 8.2.6.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
References