Missing Authorization in Roxy-WI - CVE-2026-45552
Published: May 16, 2026
Vulnerability identifier: #VU131608
CSH Severity: Medium
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:U/U:Green
CVE-ID: CVE-2026-45552
CWE-ID: CWE-862
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Roxy-WI
Affected software:
Roxy-WI
Roxy-WI
Detailed vulnerability description
The vulnerability allows a remote user to bypass authorization and execute commands on servers belonging to other tenants.
The vulnerability exists due to missing authorization checks in the /install/* endpoints when handling requests for server-specific installation and SSH operations. A remote user can send crafted requests referencing another tenant's server IP to bypass authorization and execute commands on servers belonging to other tenants.
The issue affects authenticated users at any role, including the default guest role, and the target server only needs to be present in the application's server database for stored SSH credentials to be used.
How to mitigate CVE-2026-45552
Install security update from vendor's website.