Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass

7.7 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.

Basic Information

ID CVE-2026-33432

Source GitHub_M

Published Apr 20, 2026 at 20:26

Affected Product

Vendor roxy-wi

Product roxy-wi

Version <= 8.2.8.2

Affected Versions roxy-wi roxy-wi <= 8.2.8.2

CWE Classification

CWE-287

References

{
    "lastseen": "",
    "description": "Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely \u2014 gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.",
    "published": "2026-04-20T20:26:52.217Z",
    "modified": "2026-04-20T20:26:52.217Z",
    "type": "cve",
    "title": "Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass",
    "source": "GitHub_M",
    "references": "https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m\nhttps://github.com/roxy-wi/roxy-wi/blob/v8.2.8.2/app/modules/roxywi/auth.py",
    "id": "CVE-2026-33432",
    "bulletinFamily": "",
    "cwe": [
        "CWE-287"
    ],
    "cvelist": null,
    "sourceData": "roxy-wi roxy-wi <= 8.2.8.2",
    "sourceHref": "",
    "cvss": {
        "score": 7.7,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "roxy-wi",
    "version": "<= 8.2.8.2",
    "vendor": "roxy-wi",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass_CVE-2026-33432