CVE-2026-33432
CRITICALRoxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass
Title source: cnaDescription
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.
References (2)
Core 2
Core References
X_Refsource_Confirm x_refsource_confirm
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m
X_Refsource_Misc x_refsource_misc
https://github.com/roxy-wi/roxy-wi/blob/v8.2.8.2/app/modules/roxywi/auth.py
Scores
CVSS v3
9.1
EPSS
0.0042
EPSS Percentile
33.6%
Attack Vector
NETWORK
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
CISA SSVC
Vulnrichment
Exploitation
none
Automatable
yes
Technical Impact
partial
Details
CWE
CWE-287
Status
published
Products (2)
roxy-wi/roxy-wi
< 8.2.8.2
roxy-wi/roxy-wi
<= 8.2.8.2
Published
Apr 20, 2026
Tracked Since
Apr 21, 2026