CVE-2026-45550

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi common.check user group for flask() — which validates that the caller has some group, not that the target check id belongs to it. The downstream SQL update functions update smon, update smonHttp, update smonTcp, update smonPing, update smonDns (app/modules/db/smon.py:515-562) all execute WHERE smon id = ? with no user group filter. The DELETE path is correctly filtered (app/modules/db/smon.py:319-327 does WHERE id = ? AND user group = ?), demonstrating that the maintainers know the right pattern but did not apply it on UPDATE. Therefore any authenticated user can iterate over smon id values and silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. At time of publication, there are no publicly available patches.