CVE-2026-45563
Description
Roxy-WI allows any authenticated user to view another user's audit trail via an IDOR vulnerability in the history endpoint.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Roxy-WI allows any authenticated user to view another user's audit trail via an IDOR vulnerability in the history endpoint.
Vulnerability
In Roxy-WI versions 8.2.6.4 and prior, the GET /history//<server_ip> endpoint improperly re-uses the server_ip path parameter as a user-id when the service parameter is set to user. This occurs without an adequate authorization check, allowing access to sensitive audit trail data [1].
Exploitation
An attacker must first be authenticated to Roxy-WI. Once authenticated, even with guest privileges in an unrelated group, they can craft a specific GET request to /history/user/<user_id>, where <user_id> is the ID of the target user. This request will return the full action audit trail of the specified user [1].
Impact
Successful exploitation allows an attacker to view any other user's complete action audit trail. This includes details such as the server IPs they have accessed, the timing and nature of configuration changes, and service restart events. This information can be used for reconnaissance to plan more targeted attacks [1].
Mitigation
At the time of publication, there are no publicly available patches for this vulnerability. The provided code snippet shows a proposed fix that includes checks for user ID matching, admin privileges, and group access, but this fix has not been released in a stable version [1].
AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The application fails to perform an authorization check when retrieving user history."
Attack vector
An authenticated user, regardless of their group or role, can send a GET request to `/history/<service>/<server_ip>` where the `service` parameter is set to 'user' [ref_id=1]. The `server_ip` path parameter is then re-used as a user ID without any validation or access control checks. This allows any authenticated user to view the complete action audit trail of any other user [ref_id=1].
Affected code
The vulnerability resides in the `service_history` function within `app/routes/main/routes.py`. The code directly uses the `server_ip` path parameter as a user ID when the `service` parameter equals 'user', without implementing proper authorization guards like `is_user_has_access_to_its_group` or `page_for_admin` for this specific branch [ref_id=1].
What the fix does
The patch introduces authorization checks for the user history endpoint when the service is 'user'. Specifically, it verifies if the target user ID matches the current user's ID. If they do not match, it calls `roxywi_auth.page_for_admin(level=2)` and `roxywi_common.is_user_has_access_to_its_group(target_user_id)` to ensure the requesting user has the necessary permissions to view another user's history [ref_id=1].
Preconditions
- authThe attacker must be an authenticated user.
Reproduction
# Proof of concept (live verified) # Logged-in as guest (role=4): curl -sb /tmp/guest.jar -o /tmp/hist.html \ -w 'GET /history/user/1 → HTTP %{http_code}\n' \ http://victim.example/history/user/1 grep -o '<title>[^<]*</title>' /tmp/hist.html Live output (commit d72ea494): GET /history/user/1 → HTTP 200 <title>History of user</title>
The body is the rendered admin-history page: 367 lines of HTML containing the targeted user's audit log. [ref_id=1]
Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.