CVE-2026-33432

UNKNOWN 0.0

Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass

CVSS Score

0.0

EPSS Score

0.0%

EPSS Percentile

0th

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.

CWE	CWE-287
Vendor	roxy-wi
Product	roxy-wi
Published	Apr 20, 2026

Stay Ahead of the Next One

Get instant alerts for roxy-wi roxy-wi

Be the first to know when new unknown vulnerabilities affecting roxy-wi roxy-wi are published — delivered to Slack, Telegram or Discord.

Get Free Alerts → Free · No credit card · 60 sec setup

Affected Versions

roxy-wi / roxy-wi

<= 8.2.8.2

References

NVD ↗ CVE.org ↗ EPSS Data ↗

github.com: https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m github.com: https://github.com/roxy-wi/roxy-wi/blob/v8.2.8.2/app/modules/roxywi/auth.py