Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.
Published: 2026-04-20
Score: 7.7 High
EPSS: n/a
KEV: No
Impact: Authentication Bypass
Action: Apply Mitigation
AI Analysis

Impact

The vulnerability arises when Roxy‑WI, if LDAP authentication is activated, concatenates a user‑supplied login string directly into an LDAP search filter without escaping special characters. An unauthenticated attacker can inject LDAP meta‑characters into the username field, causing the search operation to return an unintended directory entry and thereby bypass authentication. As a result, the attacker gains authenticated access to the application’s interface, potentially with full administrative privileges. This flaw is classified as CWE‑287 and is reflected in a CVSS score of 7.7.

Affected Systems

The affected product is Roxy‑WI, managed by the roxy‑wi vendor. The issue is present in all versions up to and including 8.2.8.2. No official patch or workaround has been released by the vendor at the time of publication, and the vulnerability is not listed in the CISA KEV catalog.

Risk and Exploitability

With an unauthenticated attack vector and a high CVSS score of 7.7, the risk level is considered high. The absence of an EPSS score means exact exploitation probability is unknown, but the lack of a patch and the straightforward injection method suggest that skilled attackers could readily exploit the flaw. Since the vulnerability is not in the KEV, it has not yet been observed as a widely advertised exploit, yet the potential remains for active exploitation by risk‑tolerant adversaries. Protective action must be taken through disabling LDAP authentication, using a local code fix, or restricting network access to the Roxy‑WI instance.

Generated by OpenCVE AI on April 20, 2026 at 23:59 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable LDAP authentication entirely if it is not essential for operation, or restrict access to the login page to trusted IP ranges.
  • Apply a defensive coding change by editing the auth.py file to properly escape or sanitize LDAP filter metacharacters before constructing the search filter.
  • Monitor authentication logs for abnormal patterns of injected characters or repeated failed login attempts, and react promptly to any suspicious activity.
  • Keep the application under continuous review of vendor notices and update to any future version that addresses the flaw as soon as a patch is released.

Generated by OpenCVE AI on April 20, 2026 at 23:59 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Mon, 20 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.
Title Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-20T20:26:52.217Z

Reserved: 2026-03-19T18:45:22.435Z

Link: CVE-2026-33432

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-04-20T21:16:34.970

Modified: 2026-04-20T21:16:34.970

Link: CVE-2026-33432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-21T00:00:13Z

Weaknesses