External risk intelligence

Roxy-WI Unauthorized Monitoring Check Modification

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-45550

Roxy-WI, a web interface for managing server infrastructure, contains a vulnerability that allows authenticated users to silently modify the monitoring checks of other tenants. This could disrupt service availability or lead to unauthorized changes to critical monitoring configurations. A patch is not yet publicly avai

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-45550

Roxy-WI is a web-based management interface designed for controlling infrastructure components like load balancers and web servers. Such tools are typically deployed as centralized, externally reachable administration portals to facilitate remote management of network services, making the web interface and its associated API endpoints commonly accessible over the network.

PCI scan relevance

PCI Relevance for CVE-2026-45550

Yes

CVE-2026-45550 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows any authenticated user to modify monitoring checks belonging to other tenants, posing a risk to PCI compliance.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory addresses a critical vulnerability in Roxy-WI, a web interface used to manage critical server infrastructure like Haproxy and Nginx. The flaw allows authenticated users to silently alter monitoring configurations for other tenants, potentially disrupting service availability or leading to unauthorized changes. While a patch is not yet available, understanding the nature of this threat is important for assessing potential impact.

Unauthenticated users can change monitoring settings.
It impacts critical server management interfaces.
Confirm relevance and exposure to affected systems.

Attack Path

How an attacker could exploit the issue

An authenticated user of Roxy-WI can manipulate monitoring checks for other tenants. The vulnerability lies in how the application handles updates to monitoring configurations, specifically allowing any authenticated user to modify any monitoring check regardless of their assigned tenant. This could lead to the unauthorized alteration of critical monitoring settings.

Authenticated user access is required.
PUT request to `/smon/check` can be abused.
Unauthorized modification of monitoring checks.

Live Threat

Current exploitation, exposure, and threat context

An authenticated user could alter monitoring checks configured by other users. This could impact the reliability of services managed by Roxy-WI by silently disabling or modifying their monitoring.

Monitoring check configurations.
By overwriting other user's checks.
Service monitoring reliability may degrade.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Understanding ownership and initial steps for this vulnerability requires identifying the team responsible for the Roxy-WI application and its underlying infrastructure. The first practical move is to determine where Roxy-WI is deployed, assess its network exposure and business criticality, and identify the accountable owner before planning remediation.

Application owners and infrastructure teams should own.
Verify Roxy-WI deployment and network exposure.
Plan remediation based on identified risks.

Frequently asked questions

What is Roxy-WI?

Roxy-WI is a centralized web-based management interface designed to simplify the configuration and administration of critical network infrastructure, including HAProxy, Nginx, Apache, and Keepalived load balancers and web servers.

How does CVE-2026-45550 affect security?

This vulnerability is an Improper Authorization flaw. While the system checks if a user is logged in, it fails to verify if that user actually owns the monitoring check they are trying to modify. This allows an authenticated user to bypass logical boundaries and overwrite the configurations of other tenants.

Can an unauthenticated attacker trigger this bug?

No. The vulnerability requires a valid user account within the Roxy-WI interface to execute the problematic update request. Unauthenticated users cannot trigger this specific authorization failure because the system initially gates the endpoint by requiring a logged-in session.

Is my Roxy-WI instance at risk?

According to Halo Surface Signal, Roxy-WI is frequently deployed as an externally reachable administration portal to facilitate remote management. If your instance is accessible over the internet, it is more likely to be exposed to this risk than an instance restricted to an internal-only network.

What steps should I take if I use Roxy-WI?

Begin by identifying the team responsible for managing your Roxy-WI deployment. Assess whether the instance is exposed to the internet or restricted to internal networks, and determine the business impact if monitoring configurations were altered. Since no patch is currently available, prioritize restricting access to the application to trusted users only.

References

github.com/roxy-wi/roxy-wi/security/advisories/GHSA-856h-mvm2-2h2x

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.