Main Vulnerability Database Vulnerabilities #VU131619

Improper Authentication in Roxy-WI - CVE-2026-45567

Published: May 16, 2026

Vulnerability identifier: #VU131619

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-45567

CWE-ID: CWE-287

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Roxy-WI

Affected software:
Roxy-WI

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication and access protected functionality.

The vulnerability exists due to improper authentication in the global before_request hook when processing request URLs containing the substring "api". A remote attacker can send a crafted request with "api" in the URL to bypass authentication and access protected functionality.

The authentication check is skipped if the substring appears anywhere in the full request URL, including the query string.

How to mitigate CVE-2026-45567

Install security update from vendor's website.

Sources

https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-4fcm-qgg8-w2vf

Improper Authentication in Roxy-WI - CVE-2026-45567

Detailed vulnerability description

How to mitigate CVE-2026-45567

Sources

Please verify you're human