Roxy-WI: IDOR — any authenticated user can read another user’s...

4.3 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user — even a guest in an unrelated group — can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.

Basic Information

ID CVE-2026-45563

Source GitHub_M

Published Jun 10, 2026 at 14:03

Affected Product

Vendor roxy-wi

Product roxy-wi

Version <= 8.2.6.4

Affected Versions roxy-wi roxy-wi <= 8.2.6.4

CWE Classification

CWE-639 CWE-863

References

github.com /roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9

{
    "lastseen": "",
    "description": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user \u2014 even a guest in an unrelated group \u2014 can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.",
    "published": "2026-06-10T14:03:43.300Z",
    "modified": "2026-06-10T14:03:43.300Z",
    "type": "cve",
    "title": "Roxy-WI: IDOR \u2014 any authenticated user can read another user's full action history",
    "source": "GitHub_M",
    "references": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9",
    "id": "CVE-2026-45563",
    "bulletinFamily": "",
    "cwe": [
        "CWE-639",
        "CWE-863"
    ],
    "cvelist": null,
    "sourceData": "roxy-wi roxy-wi <= 8.2.6.4",
    "sourceHref": "",
    "cvss": {
        "score": 4.3,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "roxy-wi",
    "version": "<= 8.2.6.4",
    "vendor": "roxy-wi",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Roxy-WI: IDOR — any authenticated user can read another user’s full action history_CVE-2026-45563