Main Vulnerability Database Vulnerabilities #VU131615

Authorization bypass through user-controlled key in Roxy-WI - CVE-2026-45563

Published: May 16, 2026

Vulnerability identifier: #VU131615

CSH Severity: Low

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear

CVE-ID: CVE-2026-45563

CWE-ID: CWE-639

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Roxy-WI

Affected software:
Roxy-WI

Detailed vulnerability description

The vulnerability allows a remote user to disclose sensitive information.

The vulnerability exists due to authorization bypass through a user-controlled key in the /history/user/<server_ip> route when handling requests for user action history. A remote user can send a request with another user's id in the path parameter to disclose sensitive information.

The issue exposes the targeted user's full action audit trail, including servers touched, configuration deployment timing, and services restarted.

How to mitigate CVE-2026-45563

Install security update from vendor's website.

Sources

https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9

Authorization bypass through user-controlled key in Roxy-WI - CVE-2026-45563

Detailed vulnerability description

How to mitigate CVE-2026-45563

Sources

Please verify you're human