Security Advisory - Published 2026-06-11 - Roxy-WI

Roxy-WI CVE batch: load balancer panel exposure self-check

The Roxy-WI advisories affect a management panel that can touch HAProxy, Nginx, Apache, Keepalived, exporters, WAF rules, and server monitoring agents. The common operator risk is not one isolated route. It is a panel account being able to change infrastructure it should not control, especially in shared or tenant-separated setups.

Defensive scope: this page avoids route-by-route attack detail. Use it to confirm version, restrict panel access, review accounts, audit recent configuration pushes, and plan containment.

What the monitor raised

CVEAreaOperator note
CVE-2026-45552Install and exporter workflowsCross-tenant authorization checks are missing on sensitive install actions.
CVE-2026-45550Server monitoring updatesTenant ownership checks may be missing on update paths.
CVE-2026-45549Monitoring agent actionsPanel users may be able to start, stop, or restart agents outside their scope.
CVE-2026-45556WAF configuration savePath handling around configuration writes needs urgent review.
CVE-2026-45558HAProxy section configurationGenerated configuration may include untrusted directives.
CVE-2026-45564Config version restorePath input can reach command execution sinks in vulnerable versions.
CVE-2026-45565Shared input validationTraversal filtering can be bypassed by validation order problems.
CVE-2026-45567Authentication handlingAuthentication bypass conditions affect API-style routes.
CVE-2026-45569Incomplete traversal patchA previous validation patch may not block realistic traversal strings.

Containment checklist

  1. Remove public internet access to the Roxy-WI panel. Put it behind VPN or a trusted admin network.
  2. Disable guest or low-privilege accounts until the tenant and role model is reviewed.
  3. Export a list of Roxy-WI users, roles, groups, and managed servers.
  4. Review recent HAProxy, Nginx, Apache, Keepalived, WAF, exporter, and GeoIP changes.
  5. Check SSH keys and service credentials stored for managed servers.
  6. Review systemd, cron, WAF rule, and load balancer configuration timestamps on every managed host.

Version and service checks

python -m pip show roxy-wi 2>/dev/null
systemctl list-units | grep -i roxy
ss -ltnp | egrep 'roxy|haproxy|nginx|httpd|apache|keepalived'

The public advisories list Roxy-WI versions up to 8.2.6.4 as affected, with no patched version shown at publication time. If your panel is production-facing, treat network restriction and account review as immediate work, not a later hardening task.

Evidence to preserve

  • Roxy-WI application logs and web access logs.
  • Task history for exporter, WAF, GeoIP, monitoring, and config restore actions.
  • Changed files under load balancer, WAF, Apache, Nginx, HAProxy, and Keepalived config directories.
  • SSH login records from the Roxy-WI host to managed servers.
  • New or modified cron files, systemd units, and service restart times.

Ping7 repair path

This is a panel and infrastructure review, not a single plugin update. Ping7 can help with exposure mapping, account review, configuration diff review, and post-incident cleanup on owned or client-approved systems. Start from CVE Repair and include the Roxy-WI version, whether the panel is internet-facing, and the number of managed load balancers.

References