SB2026051613 - Multiple vulnerabilities in Roxy-WI

Description

This security bulletin contains information about 14 vulnerabilities.

1) Missing Authorization (CVE-ID: CVE-2026-45549)

The vulnerability allows a remote user to cause a denial of service.

The vulnerability exists due to missing authorization in POST /smon/agent/action/<action> when handling crafted POST requests with a user-supplied server_ip value. A remote user can send a specially crafted request to cause a denial of service.

The issue can be exploited by a guest account and affects the roxy-wi-smon-agent systemd unit on a named target host.

2) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-45550)

The vulnerability allows a remote user to modify monitoring checks across tenant boundaries.

The vulnerability exists due to incorrect authorization in the PUT /smon/check endpoint and downstream smon update functions when handling update requests with a user-controlled check_id. A remote user can send a specially crafted PUT request with another tenant's check_id to modify monitoring checks across tenant boundaries.

The issue affects HTTP, TCP, Ping, and DNS monitoring checks, and no user interaction is required.

3) Missing Authorization (CVE-ID: CVE-2026-45552)

The vulnerability allows a remote user to bypass authorization and execute commands on servers belonging to other tenants.

The vulnerability exists due to missing authorization checks in the /install/* endpoints when handling requests for server-specific installation and SSH operations. A remote user can send crafted requests referencing another tenant's server IP to bypass authorization and execute commands on servers belonging to other tenants.

The issue affects authenticated users at any role, including the default guest role, and the target server only needs to be present in the application's server database for stored SSH credentials to be used.

4) External Control of File Name or Path (CVE-ID: CVE-2026-45556)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to external control of file name or path in the POST /waf///rule//save endpoint when handling a crafted config_file_name value during WAF rule save operations. A remote user can send a specially crafted request to execute arbitrary code.

The issue can write attacker-controlled file contents to arbitrary paths on every managed load balancer in the caller's group, and the written file may be executed as root by downstream system components such as cron.

5) Input validation error (CVE-ID: CVE-2026-45558)

The vulnerability allows a remote user to execute arbitrary code on managed HAProxy load balancers.

The vulnerability exists due to improper input validation in the HAProxy section-save endpoints and related Ansible templates when processing the JSON option field and rendering generated HAProxy configuration. A remote user can submit a specially crafted option value containing injected HAProxy directives to execute arbitrary code on managed HAProxy load balancers.

The injected directives are pushed to the load balancer configuration and executed after HAProxy is reloaded, and the resulting code runs as the haproxy user.

6) LDAP injection (CVE-ID: CVE-2026-45559)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to ldap injection in get_ldap_email in app/modules/roxywi/user.py when processing the username URL path parameter in the /user/ldap/ endpoint. A remote privileged user can send a specially crafted username value to disclose sensitive information.

The issue is limited to the admin-only endpoint and can expose LDAP attributes outside the intended record.

7) Cross-site scripting (CVE-ID: CVE-2026-45560)

The vulnerability allows a remote attacker to execute arbitrary script in an administrator's browser session.

The vulnerability exists due to cross-site scripting in the log viewer when rendering log entries containing unescaped HTML. A remote attacker can send a specially crafted HTTP request that injects script into managed HAProxy or Nginx access logs to execute arbitrary script in an administrator's browser session.

User interaction is required when a Roxy-WI administrator opens the log viewer.

8) Server-Side Request Forgery (SSRF) (CVE-ID: CVE-2026-45561)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to server-side request forgery in the /smon/agent/{version,uptime,status,checks}/ routes when handling a user-supplied server_ip path component in requests.get calls. A remote user can send a specially crafted request to disclose sensitive information.

The issue can reach cloud metadata IPs and internal-only services, and raw text responses may be included in error messages.

9) Authorization bypass through user-controlled key (CVE-ID: CVE-2026-45563)

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to authorization bypass through a user-controlled key in the /history/user/<server_ip> route when handling requests for user action history. A remote user can send a request with another user's id in the path parameter to disclose sensitive information.

The issue exposes the targeted user's full action audit trail, including servers touched, configuration deployment timing, and services restarted.

10) OS Command Injection (CVE-ID: CVE-2026-45564)

The vulnerability allows a remote user to execute arbitrary code.

The vulnerability exists due to command injection in the save_version route and downstream config handling when processing a crafted configver URL path parameter in POST requests to /config/versions/.../save. A remote user can send a specially crafted request to execute arbitrary code.

Exploitation requires valid credentials with role level 3 or lower and does not require user interaction.

11) Input validation error (CVE-ID: CVE-2026-45565)

The vulnerability allows a remote user to write arbitrary files and execute arbitrary code.

The vulnerability exists due to improper input validation in the EscapedString validator when processing user-supplied string fields containing path traversal sequences together with metacharacters. A remote user can supply a specially crafted value to write arbitrary files and execute arbitrary code.

The issue occurs because the validator's strip branch returns the modified value before enforcing the '..' check and without applying shell quoting.

12) Open redirect (CVE-ID: CVE-2026-45566)

The vulnerability allows a remote attacker to redirect users to an attacker-controlled site.

The vulnerability exists due to url redirection to an untrusted site in the /login endpoint when processing a crafted next parameter using basic-auth userinfo syntax. A remote attacker can supply a specially crafted next value to redirect users to an attacker-controlled site.

User interaction is required because the victim must complete the login flow before the client-side redirect occurs.

13) Improper Authentication (CVE-ID: CVE-2026-45567)

The vulnerability allows a remote attacker to bypass authentication and access protected functionality.

The vulnerability exists due to improper authentication in the global before_request hook when processing request URLs containing the substring "api". A remote attacker can send a crafted request with "api" in the URL to bypass authentication and access protected functionality.

The authentication check is skipped if the substring appears anywhere in the full request URL, including the query string.

14) Path traversal (CVE-ID: CVE-2026-45569)

The vulnerability allows a remote user to read arbitrary files and modify integrity-sensitive data.

The vulnerability exists due to path traversal in app/modules/config/config.py when handling crafted config version values in requests to the save_version route. A remote user can send a specially crafted request to read arbitrary files and modify integrity-sensitive data.

The issue is caused by an incorrect tuple-membership check for '..', and the vulnerable code path is reachable through POST /config/versions////save.

Remediation

Install update from vendor's website.

References

• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-c92j-h72m-ff4j
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-856h-mvm2-2h2x
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-v3f8-g2v8-jq5h
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-85gm-773v-x7m4
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w2x4-66jj-3597
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-2257-7mhp-grqp
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-28m4-mmr2-83p6
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-2crj-7rqc-x7rq
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-w42x-3v8j-cmg2
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-7qm8-cm8p-9rx3
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-xw9x-68gg-mp5h
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-4fcm-qgg8-w2vf
• https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-j6p4-8532-h9hv
• https://github.com/roxy-wi/roxy-wi/commit/d4d10006