Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.

INFO

Published Date :

2026-04-20T20:26:52.217Z

Last Modified :

2026-04-21T17:38:09.523Z

Source :

GitHub_M
AFFECTED PRODUCTS

The following products are affected by CVE-2026-33432 vulnerability.

Vendors Products
Roxy-wi
  • Roxy-wi
REFERENCES

Here, you will find a curated list of external links that provide in-depth information to CVE-2026-33432.

URL Resource
https://github.com/roxy-wi/roxy-wi/blob/v8.2.8.2/app/modules/roxywi/auth.py cve-icon cve-icon
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m cve-icon cve-icon cve-icon
Login to claim this CVE

CVSS Vulnerability Scoring System

Detailed values of each vector for above chart.
Attack Vector
Attack Complexity
Attack Requirements
Privileges Required
User Interaction
VS Confidentiality
VS Integrity
VS Availability
SS Confidentiality
SS Integrity
SS Availability