Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.
Published: 2026-04-20
Score: 7.7 High
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Apply Mitigation
AI Analysis

Impact

The vulnerability arises when Roxy-WI, if LDAP authentication is activated, concatenates a user-supplied login string directly into an LDAP search filter without escaping special characters. An unauthenticated attacker can inject LDAP meta-characters into the username field, causing the search operation to return an unintended directory entry and thereby bypass authentication. As a result, the attacker gains authenticated access to the application’s interface, potentially with full administrative privileges. This flaw is classified as CWE-287 and is reflected in a CVSS score of 7.7.

Affected Systems

The affected product is Roxy-WI, managed by the roxy-wi vendor. The issue is present in all versions up to and including 8.2.8.2. No official patch or workaround has been released by the vendor at the time of publication, and the vulnerability is not listed in the CISA KEV catalog.

Risk and Exploitability

With an unauthenticated attack vector and a CVSS score of 7.7, the technical severity is high. The EPSS score of 0.00142 (below 1%) indicates a very low probability of real-world exploitation, but the vulnerability’s lack of a patch and its straightforward injection mechanism still allow skilled attackers to use it. Since it is not listed in CISA KEV, no widespread active exploits have been observed, yet the potential for targeted attacks exists. Protective action remains necessary through disabling LDAP authentication, applying a local code fix, or restricting network access to the Roxy-WI instance.

Generated by OpenCVE AI on April 28, 2026 at 16:19 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Disable LDAP authentication entirely if it is not essential for operation, or restrict access to the login page to trusted IP ranges.
  • Apply a defensive coding change by editing the auth.py file to properly escape or sanitize LDAP filter metacharacters before constructing the search filter.
  • Monitor authentication logs for abnormal patterns of injected characters or repeated failed login attempts, and react promptly to any suspicious activity.
  • Keep the application under continuous review of vendor notices and update to any future version that addresses the flaw as soon as a patch is released.

Generated by OpenCVE AI on April 28, 2026 at 16:19 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 24 Apr 2026 19:30:00 +0000

Type Values Removed Values Added
Weaknesses NVD-CWE-noinfo
CPEs cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Mon, 20 Apr 2026 22:45:00 +0000

Type Values Removed Values Added
First Time appeared Roxy-wi
Roxy-wi roxy-wi
Vendors & Products Roxy-wi
Roxy-wi roxy-wi

Mon, 20 Apr 2026 21:00:00 +0000

Type Values Removed Values Added
Description Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.
Title Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass
Weaknesses CWE-287
References
Metrics cvssV4_0

{'score': 7.7, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P'}

Subscriptions

Roxy-wi Roxy-wi
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-21T17:38:09.523Z

Reserved: 2026-03-19T18:45:22.435Z

Link: CVE-2026-33432

cve-icon Vulnrichment

Updated: 2026-04-21T17:38:00.502Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-20T21:16:34.970

Modified: 2026-04-24T19:18:10.143

Link: CVE-2026-33432

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-28T16:30:35Z

Weaknesses