Missing Authorization Checks in Roxy-WI Agent Management

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, agent_action (app/routes/smon/agent_routes.py:166-179) has decorators @bp.post('/agent/action/<action>') and @jwt_required() only — no role check, no group ownership check on the server_ip form field. Any authenticated user, including role 4 (guest), can start, stop, or restart the roxy-wi-smon-agent systemd unit on any server they can name. Roxy-WI executes the systemd action over its own SSH credentials (passwordless sudo), so the action runs as root on the target. At time of publication, there are no publicly available patches.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

Roxy-WI versions 8.2.6.4 and prior contain an authorization bypass vulnerability in the agent action endpoint that allows any authenticated user—including guest-level accounts—to control critical system services across managed infrastructure. The vulnerability stems from missing role-based and group ownership validation on the `/agent/action/<action>` endpoint, which can start, stop, or restart the roxy-wi-smon-agent systemd unit on arbitrary servers. This affects organizations using Roxy-WI to manage HAProxy, Nginx, Apache, and Keepalived deployments, enabling authenticated attackers to disrupt monitoring and load balancing operations without privilege escalation.

Casky's 261 matching security skills leverage Claude's extended reasoning to detect the attack patterns mapped to TA0004 (Privilege Escalation) and TA0006 (Credential Access). Practitioners will identify findings centered on CWE-862 (Missing Authorization) and CWE-863 (Incorrect Authorization) that reveal suspicious patterns: low-privileged users invoking systemd control actions, unexpected service state changes from non-administrative accounts, and lateral movement attempts where guest accounts enumerate and manipulate servers across network segments. The AI-driven analysis correlates JWT token possession with unauthorized service manipulation, flagging the absence of role-based access controls and group membership validation as the root cause, enabling detection of both initial compromise attempts and post-authentication abuse.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-45549.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-45549

Casky has 261 skills that investigate the attack patterns behind CVE-2026-45549. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn