HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-45567Published Modified CNA GitHub_M

CVE-2026-45567: Roxy-WI: Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, there is an authentication bypass vulnerability via 'api' substring in URL + unauthenticated /api/gpt. At time of publication, there are no publicly available patches.

Metrics

CVSS v3.1
8.3
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

Authentication bypass in Roxy-WI (versions 8.2.6.4 and prior) allows an unauthenticated remote attacker to reach protected endpoints by crafting a URL containing the 'api' substring, and to invoke the /api/gpt endpoint without any credentials. The vulnerability is reachable over the network with no authentication required and no victim interaction needed. Successful exploitation gives an attacker read access to data, the ability to modify state, and the ability to disrupt service availability across the managed Haproxy, Nginx, Apache, and Keepalived infrastructure controlled by the Roxy-WI instance. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment an upstream fix is published.

HarborGuard Coverage

Detection

Detection capability is available across every HarborGuard environment: CVE-2026-45567 is ingested from upstream advisory feeds within minutes of publication and matched against all customer images in connected registries and CI/CD pipelines, including custom-built images that bundle Roxy-WI. No manual feed configuration is required to gain coverage.

Available
Triage

HarborGuard scores this finding at CVSS 8.3 (HIGH) and weights it against each environment's compliance policy to determine urgency and routing. Triage tickets are routed to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available
Patch

Because no upstream fix version has been published for CVE-2026-45567, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment an upstream patch is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered without manual intervention once a fix version becomes available.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must be able to reach the Roxy-WI web interface over the network; no local or physical access is required.

  • AuthenticationNot required

    No credentials are needed; the bypass is triggered by crafting a URL with the 'api' substring or by calling /api/gpt directly.

  • Victim interactionNot required

    The attacker sends requests directly to the server and no user action or social engineering is required to trigger the vulnerability.

  • Attack complexityDetail

    Attack complexity is low; the exploit is reliable and condition-free, requiring only a crafted HTTP request with no race conditions or environmental dependencies.

Blast Radius

  • Reads application data and configuration details exposed through bypassed authenticated endpoints, including information about managed Haproxy, Nginx, Apache, and Keepalived servers.
  • Modifies server configurations or state through write-capable API endpoints that become accessible after the authentication check is bypassed.
  • Disrupts availability of the Roxy-WI management interface or of the servers it controls by issuing unauthorized commands through the exposed API surface.
  • Invokes the /api/gpt endpoint without credentials, potentially leaking sensitive prompt data or consuming backend AI service quotas tied to the deployment.

How HarborGuard Handles This

Available on HarborGuard: this CVE is actively tracked with no fix version currently published, so HarborGuard monitors the upstream advisory on every ingest cycle and will surface a patched-image rebuild the moment a fix is released. In the interim, compensating controls are worth considering: network policy rules that restrict access to the Roxy-WI web interface to trusted internal IP ranges, egress filtering to limit lateral reach from a compromised instance, and feature-flag or reverse-proxy gating on the /api/gpt path specifically. For customers with auto-remediation enabled, the full rebuild, regression run, and PR flow against affected workloads will trigger automatically once an upstream fix version is available, with median time from CVE publication to merged patch PR for high-severity issues around 90 minutes in those environments.

See how HarborGuard automates this
Affected packages
  • roxy-wi / roxy-wi
    <= 8.2.6.4
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:L/I:L/A:L
References