CVE-2026-45549
Description
Roxy-WI versions prior to 8.2.6.4 allow any authenticated user to stop or restart the smon-agent service on any server, leading to denial of service.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Roxy-WI versions prior to 8.2.6.4 allow any authenticated user to stop or restart the smon-agent service on any server, leading to denial of service.
Vulnerability
Roxy-WI versions 8.2.6.4 and prior suffer from an authorization bypass vulnerability in the agent_action function within app/routes/smon/agent_routes.py. The function lacks proper role and group ownership checks on the server_ip form field, allowing any authenticated user, including those with the guest role (role 4), to execute actions on specified servers [1].
Exploitation
An attacker needs an authenticated session in Roxy-WI, even with the lowest privilege role (guest). The attacker can then send a POST request to /smon/agent/action/ (where ` can be start, stop, or restart) with a server_ip parameter specifying the target server. Roxy-WI will then use its stored SSH credentials to execute the systemctl command with passwordless sudo` on the target machine [1].
Impact
Successful exploitation allows an attacker to stop or restart the roxy-wi-smon-agent systemd unit on any server they can specify. This can lead to a denial of service for monitoring functions, as the agent will stop reporting status events. The action is executed as root on the target server [1].
Mitigation
At the time of publication, there are no publicly available patches for this vulnerability. Users are advised to consult the vendor for potential workarounds or future updates [1].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The agent_action endpoint lacks proper authorization checks, allowing any authenticated user to execute system commands."
Attack vector
An attacker must first authenticate to Roxy-WI with any user role, including the guest role (role 4). The attacker then sends a POST request to the `/smon/agent/action/<action>` endpoint, specifying an action like 'stop', 'start', or 'restart', and providing a `server_ip` form field. The application bypasses role and group ownership checks, executing the requested systemd action on the target server via SSH with root privileges [ref_id=1].
Affected code
The vulnerability resides in the agent_action function located in app/routes/smon/agent_routes.py, specifically lines 166-179. This function handles requests to start, stop, or restart the roxy-wi-smon-agent systemd unit without sufficient authorization checks [ref_id=1].
What the fix does
The patch adds two crucial authorization checks to the agent_action route: `roxywi_auth.page_for_admin(level=2)` and `roxywi_common.check_is_server_in_group(server_ip)`. These checks ensure that only authorized administrators can perform actions and that the specified server belongs to the user's group, preventing unauthorized users from controlling systemd units on arbitrary servers [ref_id=1].
Preconditions
- authOne authenticated session in Roxy-WI at any role level.
- configA roxy-wi-smon-agent systemd unit must be installed on the target server.
Reproduction
# Logged-in as role=4 guest: COOKIE='-b /tmp/guest.jar' TARGET=victim.example curl $COOKIE -X POST "https://$TARGET/smon/agent/action/stop" \ -d "server_ip=10.0.0.42" # → 'ok' — tenant2's smon-agent is now stopped; their HTTP / TCP / DNS monitors silently stop reporting. [ref_id=1]
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.