CVE-2026-45552

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, the install blueprint declares only bp.before request → @jwt required() (app/routes/install/routes.py:36-39). The individual endpoints install exporter, install waf, install geoip, check geoip, get exporter version, and get task status are not wrapped in page for admin and do not call roxywi common.is user has access to its group(server ip) or check is server in group(server ip). Only the GET index page (install monitoring) gates on roxywi auth.page for admin(level=2). Because the missing decorators omit both role and group checks, any logged-in user — including the default guest role 4 — can install/reconfigure exporters, WAF, and GeoIP databases on every server in the Roxy-WI database, regardless of tenant ownership. The Ansible playbooks run with the per-server SSH credential stored in Roxy-WI, which the credentials' rightful owner (a different tenant) has provisioned with sudo rights for the management workflow. At time of publication, there are no publicly available patches.