{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45563", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-12T19:00:14.599Z", "datePublished": "2026-06-10T14:03:43.300Z", "dateUpdated": "2026-06-10T14:55:23.514Z"}, "containers": {"cna": {"title": "Roxy-WI: IDOR \u2014 any authenticated user can read another user's full action history", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9"}], "affected": [{"vendor": "roxy-wi", "product": "roxy-wi", "versions": [{"version": "<= 8.2.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-10T14:03:43.300Z"}, "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user \u2014 even a guest in an unrelated group \u2014 can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-wcmc-cjmw-54x9", "discovery": "UNKNOWN"}}, "adp": [{"references": [{"url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9", "tags": ["exploit"]}], "metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-06-10T14:54:47.307657Z", "id": "CVE-2026-45563", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-10T14:55:23.514Z"}}]}}

{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-45563", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-05-12T19:00:14.599Z", "datePublished": "2026-06-10T14:03:43.300Z", "dateUpdated": "2026-06-10T14:55:23.514Z"}, "containers": {"cna": {"title": "Roxy-WI: IDOR \u2014 any authenticated user can read another user's full action history", "problemTypes": [{"descriptions": [{"cweId": "CWE-639", "lang": "en", "description": "CWE-639: Authorization Bypass Through User-Controlled Key", "type": "CWE"}]}, {"descriptions": [{"cweId": "CWE-863", "lang": "en", "description": "CWE-863: Incorrect Authorization", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9"}], "affected": [{"vendor": "roxy-wi", "product": "roxy-wi", "versions": [{"version": "<= 8.2.6.4", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-06-10T14:03:43.300Z"}, "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user \u2014 even a guest in an unrelated group \u2014 can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches."}], "source": {"advisory": "GHSA-wcmc-cjmw-54x9", "discovery": "UNKNOWN"}}, "adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-45563", "role": "CISA Coordinator", "options": [{"Exploitation": "poc"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-06-10T14:54:47.307657Z"}}}], "references": [{"url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9", "tags": ["exploit"]}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-06-10T14:55:12.561Z"}}]}}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, GET /history/<service>/<server_ip> re-uses the server_ip path parameter as a user-id when service == 'user', with no authorization check. Any authenticated user \u2014 even a guest in an unrelated group \u2014 can list any other user's full action audit trail (server IPs touched, configs deployed, services restarted). At time of publication, there are no publicly available patches."}], "id": "CVE-2026-45563", "lastModified": "2026-06-10T15:16:37.167", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 4.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-06-10T15:16:37.167", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-wcmc-cjmw-54x9"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Received", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-639"}, {"lang": "en", "value": "CWE-863"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "generic", "value": "[0,8.2.6.4]"}}], "enrichment": {"confidence": 100.0, "confidence_source": "matching", "scores": [{"score": 100.0, "source": "matching"}]}, "original": {"product": "roxy-wi", "source": "cna", "vendor": "roxy-wi"}, "product": "roxy-wi", "vendor": "roxy-wi"}], "created": "2026-06-10T15:30:15.490846+00:00", "updated": "2026-06-10T15:30:15.856930+00:00", "vendors": ["roxy-wi", "roxy-wi$PRODUCT$roxy-wi"]}