External risk intelligence

Roxy-WI Insecure Access Allows Tenant Data Compromise

CVE advisorySeverity: CRITICAL (CVSS 9.9)

CVE-2026-45552

Roxy-WI, a web interface for managing servers, has a vulnerability where logged-in users can install or reconfigure components on any server in the database. This bypasses access controls, potentially allowing unauthorized modifications to server functions and data. Organizations using Roxy-WI should assess their expos

4Halo Surface Signal

External exposure likelihood

Halo Surface Signal score for CVE-2026-45552

Roxy-WI is a web-based management interface designed to configure infrastructure components like Nginx, HAProxy, and Apache. These management dashboards are typically deployed as centralized, web-accessible portals for administrators to manage edge services and network gateways, placing the interface itself in a position where it is commonly exposed to the management network or the internet.

PCI scan relevance

PCI Relevance for CVE-2026-45552

Yes

CVE-2026-45552 — Halo PCI Relevance: Yes. Under typical PCI ASV external scan criteria, this issue may be flagged for scan prioritization.

This vulnerability allows any logged-in user to install or reconfigure critical server components, potentially leading to unauthorized access and system compromise, making it relevant for PCI scans.

Scan-prioritization guidance only—not a PCI DSS certification or ASV attestation.

Horizon Alert

Summary of the vulnerability and why it matters

This advisory details a critical vulnerability in Roxy-WI, a web interface used for managing critical server infrastructure like Haproxy and Nginx. The flaw allows any logged-in user to potentially reconfigure or install components on any server managed by Roxy-WI, bypassing access controls. This could enable unauthorized modifications to server functions, impacting overall service stability and security.

Unauthorized users can change server configurations.
This impacts management interfaces for critical web services.
Verify if Roxy-WI is in use and assess potential exposure.

Attack Path

How an attacker could exploit the issue

An attacker with basic user access to Roxy-WI can reconfigure critical server components like exporters, WAF, and GeoIP databases. This is possible because specific installation and configuration endpoints lack proper authorization checks, allowing any logged-in user to execute these actions on any server managed by Roxy-WI. The Ansible playbooks then run with elevated privileges on the target server, potentially leading to a compromise of the server's integrity and data.

Entry condition: Logged-in user access to Roxy-WI.
Trigger point: Accessing specific configuration endpoints.
Resulting risk: Server compromise and data integrity loss.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, any logged-in user could reconfigure critical server management components and execute Ansible playbooks using stored credentials. This could affect system data, user data, and service behavior.

Server configuration and credentials at risk.
Any logged-in user can trigger actions.
Compromise of managed servers and data.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

The Roxy-WI platform's ownership likely falls to teams managing web interfaces for infrastructure components, such as application or platform teams. The immediate priority is to identify all Roxy-WI installations, confirm their accessibility and business criticality, and pinpoint the accountable owner before planning remediation efforts.

Identify Roxy-WI installations and ownership.
Verify reachability and business criticality.
Plan remediation based on assessed risk.

Frequently asked questions

What is Roxy-WI?

Roxy-WI is a centralized web management interface that provides a graphical dashboard for configuring and monitoring core infrastructure services like HAProxy, Nginx, Apache, and Keepalived. It simplifies administrative tasks by managing these servers through integrated Ansible playbooks.

How does CVE-2026-45552 affect Roxy-WI?

This vulnerability is an authorization flaw, specifically categorized as improper access control (CWE-862, CWE-863, and CWE-639). It occurs because certain backend management endpoints lack the necessary checks to verify if a user has permission to modify a specific server, allowing any authenticated user to bypass tenant restrictions.

Do I need administrative rights to trigger this issue?

No. The flaw is triggered simply by being a logged-in user, even one assigned a low-privileged role like the default guest account. Accessing the specific configuration endpoints for WAF, GeoIP, or exporters is sufficient to initiate actions; simply visiting the main index page does not trigger the vulnerability.

Is my Roxy-WI instance at risk?

According to Halo Surface Signal, these management dashboards are frequently deployed as centralized portals accessible over the network or the internet to manage edge services. If your installation is reachable by users outside of a strictly controlled internal management segment, the risk of unauthorized configuration changes is significantly higher.

When should I take action for CVE-2026-45552?

Since there is no patch available, prioritize identifying all Roxy-WI instances in your environment immediately. Locate the owners responsible for these systems, assess their network accessibility, and implement strict access controls or isolate the dashboard from untrusted networks until a fix is released.

References

github.com/roxy-wi/roxy-wi/security/advisories/GHSA-v3f8-g2v8-jq5h

Written by Nicholas Merritt

External-surface CVE analysis and Halo Surface Signal prioritization for Halo Threat Intelligence.