CVE-2026-45561
Description
Roxy-WI versions 8.2.6.4 and prior are vulnerable to SSRF, allowing attackers to access internal services and cloud metadata.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Roxy-WI versions 8.2.6.4 and prior are vulnerable to SSRF, allowing attackers to access internal services and cloud metadata.
Vulnerability
Roxy-WI versions 8.2.6.4 and prior contain a Server-Side Request Forgery (SSRF) vulnerability in the /smon/agent/{version,uptime,status,checks}/<server_ip> routes. These routes take the server_ip path component verbatim and use it in outgoing HTTP requests without proper validation, allowing arbitrary IP addresses, including RFC1918 ranges and cloud metadata IPs, to be used [1].
Exploitation
An attacker can exploit this vulnerability by sending a crafted request to a vulnerable Roxy-WI instance, specifying a malicious IP address such as 169.254.169.254 (AWS metadata) or 127.0.0.1 in the URL path. This causes the Roxy-WI server to make a request to the specified IP address on behalf of the attacker [1].
Impact
Successful exploitation allows an attacker to exfiltrate cloud provider IAM credentials if Roxy-WI is hosted on AWS, GCP, Azure, or Hetzner. It also enables access to internal-only services running on the victim host, such as Redis or internal admin panels [1].
Mitigation
At the time of publication, there are no publicly available patches. Recommended mitigations include validating IP addresses to refuse private, loopback, link-local, broadcast, and reserved ranges, and implementing DNS-rebinding protection by resolving DNS targets once and validating the resulting IP [1].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application takes the server IP from the URL path and uses it directly in an outgoing HTTP request without proper validation."
Attack vector
An unauthenticated attacker can send a request to the /smon/agent/{version,uptime,status,checks}/<server_ip> routes. By providing a specially crafted IP address in the URL path, such as a cloud metadata IP or an internal service IP, the attacker can trick the Roxy-WI server into making a request to that IP address. This allows the attacker to interact with internal services or exfiltrate sensitive cloud provider credentials [ref_id=1].
Affected code
The vulnerability exists in the /smon/agent/{version,uptime,status,checks}/<server_ip> family of routes within app/routes/smon/agent_routes.py, specifically in functions that construct outgoing requests using the provided server_ip from the URL path [ref_id=1].
What the fix does
The advisory suggests implementing IP address validation to refuse private, loopback, link-local, broadcast, and reserved ranges, and to resolve DNS targets once to validate the resulting IP before reuse. This would prevent the application from making requests to unintended or sensitive IP addresses [ref_id=1]. No patch is publicly available at this time.
Preconditions
- authNo authentication is required to access the vulnerable routes.
- networkThe attacker must have network access to the Roxy-WI instance.
- inputThe attacker must be able to control the server_ip path component in the URL.
Reproduction
# AWS metadata. curl -sb /tmp/u.jar -o /dev/null -w 'metadata → HTTP %{http_code}, %{size_download}B\n' \ 'http://victim.example/smon/agent/uptime/169.254.169.254'
# Internal services not exposed externally: curl -sb /tmp/u.jar -w '%{http_code}\n' \ 'http://victim.example/smon/agent/status/127.0.0.1'
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.