Security Advisory - Published 2026-06-11 - Roxy-WI
Roxy-WI CVE batch: load balancer panel exposure self-check
The Roxy-WI advisories affect a management panel that can touch HAProxy, Nginx, Apache, Keepalived, exporters, WAF rules, and server monitoring agents. The common operator risk is not one isolated route. It is a panel account being able to change infrastructure it should not control, especially in shared or tenant-separated setups.
What the monitor raised
| CVE | Area | Operator note |
|---|---|---|
| CVE-2026-45552 | Install and exporter workflows | Cross-tenant authorization checks are missing on sensitive install actions. |
| CVE-2026-45550 | Server monitoring updates | Tenant ownership checks may be missing on update paths. |
| CVE-2026-45549 | Monitoring agent actions | Panel users may be able to start, stop, or restart agents outside their scope. |
| CVE-2026-45556 | WAF configuration save | Path handling around configuration writes needs urgent review. |
| CVE-2026-45558 | HAProxy section configuration | Generated configuration may include untrusted directives. |
| CVE-2026-45564 | Config version restore | Path input can reach command execution sinks in vulnerable versions. |
| CVE-2026-45565 | Shared input validation | Traversal filtering can be bypassed by validation order problems. |
| CVE-2026-45567 | Authentication handling | Authentication bypass conditions affect API-style routes. |
| CVE-2026-45569 | Incomplete traversal patch | A previous validation patch may not block realistic traversal strings. |
Containment checklist
- Remove public internet access to the Roxy-WI panel. Put it behind VPN or a trusted admin network.
- Disable guest or low-privilege accounts until the tenant and role model is reviewed.
- Export a list of Roxy-WI users, roles, groups, and managed servers.
- Review recent HAProxy, Nginx, Apache, Keepalived, WAF, exporter, and GeoIP changes.
- Check SSH keys and service credentials stored for managed servers.
- Review systemd, cron, WAF rule, and load balancer configuration timestamps on every managed host.
Version and service checks
python -m pip show roxy-wi 2>/dev/null
systemctl list-units | grep -i roxy
ss -ltnp | egrep 'roxy|haproxy|nginx|httpd|apache|keepalived' The public advisories list Roxy-WI versions up to 8.2.6.4 as affected, with no patched version shown at publication time. If your panel is production-facing, treat network restriction and account review as immediate work, not a later hardening task.
Evidence to preserve
- Roxy-WI application logs and web access logs.
- Task history for exporter, WAF, GeoIP, monitoring, and config restore actions.
- Changed files under load balancer, WAF, Apache, Nginx, HAProxy, and Keepalived config directories.
- SSH login records from the Roxy-WI host to managed servers.
- New or modified cron files, systemd units, and service restart times.
Ping7 repair path
This is a panel and infrastructure review, not a single plugin update. Ping7 can help with exposure mapping, account review, configuration diff review, and post-incident cleanup on owned or client-approved systems. Start from CVE Repair and include the Roxy-WI version, whether the panel is internet-facing, and the number of managed load balancers.