CVE-2026-45563 MEDIUM

CVE-2026-45563: Roxy-WI: IDOR — any authenticated user can read another user's full action history

Vendor Roxy-Wi
Product roxy-wi
Weakness CWE-639 · IDOR
Published June 10, 2026
Last update June 10, 2026

CVSS base score

4.3/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality Low
Integrity None

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

What the vulnerability does

01Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user — even a guest in an unrelated group — can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches.

Key dates

02Disclosure timeline

June 10, 2026 CVE published
June 10, 2026 Record updated

Related vulnerabilities

04Related CVE