Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywicommon.checkusergroupforflask() — which validates that the caller has some group, not that the target checkid belongs to it. The downstream SQL update functions updatesmon, updatesmonHttp, updatesmonTcp, updatesmonPing, updatesmonDns (app/modules/db/smon.py:515-562) all execute WHERE smonid = ? with no usergroup filter. The DELETE path is correctly filtered (app/modules/db/smon.py:319-327 does WHERE id = ? AND usergroup = ?), demonstrating that the maintainers know the right pattern but did not apply it on UPDATE. Therefore any authenticated user can iterate over smon_id values and silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. At time of publication, there are no publicly available patches.
{
"cwe_ids": [
"CWE-639",
"CWE-862",
"CWE-863"
],
"osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/45xxx/CVE-2026-45550.json",
"cna_assigner": "GitHub_M"
}