Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agentaction (app/routes/smon/agentroutes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwtrequired() only — no role check, no group ownership check on the serverip form field. Any authenticated user, including role 4 (guest), can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server they can name. Roxy-WI executes the systemd action over its own SSH credentials (passwordless sudo), so the action runs as root on the target. At time of publication, there are no publicly available patches.
{
"cna_assigner": "GitHub_M",
"cwe_ids": [
"CWE-862",
"CWE-863"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45549.json"
}