Roxy-WI Authorization Bypass in Server Monitoring Configuration

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, PUT /smon/check (app/routes/smon/routes.py:117-138) gates only on roxywi_common.check_user_group_for_flask() — which validates that the caller has some group, not that the target check_id belongs to it. The downstream SQL update functions update_smon, update_smonHttp, update_smonTcp, update_smonPing, update_smonDns (app/modules/db/smon.py:515-562) all execute WHERE smon_id = ? with no user_group filter. The DELETE path is correctly filtered (app/modules/db/smon.py:319-327 does WHERE id = ? AND user_group = ?), demonstrating that the maintainers know the right pattern but did not apply it on UPDATE. Therefore any authenticated user can iterate over smon_id values and silently rewrite any other tenant's HTTP / TCP / Ping / DNS monitoring check. At time of publication, there are no publicly available patches.

Casky was already ahead

This CVE exploits attack patterns that Casky's 261matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.

Analysis

Roxy-WI versions 8.2.6.4 and prior contain a critical authorization bypass vulnerability in the PUT /smon/check endpoint. The application validates that a user belongs to *some* group, but fails to verify that the target monitoring check actually belongs to that group before allowing modifications. This permits authenticated users to read, modify, or delete monitoring configurations for servers they should not have access to. Organizations running Roxy-WI for centralized management of HAProxy, Nginx, Apache, and Keepalived infrastructure face exposure of sensitive monitoring data and potential disruption of critical infrastructure health checks.

Casky's 261 matching skills detect the attack patterns behind this vulnerability by analyzing privilege escalation (TA0004) and credential access (TA0006) techniques. Claude AI with extended reasoning identifies improper authorization checks by correlating CWE-639 (Authorization Bypass Through User-Controlled Key), CWE-862 (Missing Authorization), and CWE-863 (Incorrect Authorization) patterns across the application flow. Practitioners using Casky would observe findings highlighting the gap between authentication validation (user exists in a group) and authorization enforcement (check ownership verification), lateral movement attempts where users access check_ids outside their assigned scope, and SQL WHERE clauses executed without ownership filters—enabling detection of both active exploitation and configuration drift that exposes unintended access.

Live Threat IntelligenceComing soon

Casky Risk Score

—

EPSS Probability

—

Shodan Exposure

—

GreyNoise Signal

—

Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →

261 Casky skills cover this attack pattern

These skills use Claude AI's reasoning model to surface findings in the same attack categories as CVE-2026-45550.

analyzing-cloud-storage-access-patterns

cloud security · low

Run

analyzing-kubernetes-audit-logs

container security · low

Run

analyzing-malicious-url-with-urlscan

phishing defense · medium

Run

MITRE ATT&CK Techniques

TA0004 TA0006

Investigate the attack patterns behind CVE-2026-45550

Casky has 261 skills that investigate the attack patterns behind CVE-2026-45550. Run one and get CVSS-scored findings in 3 minutes.

Run the skill that detects this →

X Instagram LinkedIn