Vulnerability Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.
CVSS Score
CRITICAL
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Roxy-Wi | Roxy-Wi | <= 8.2.8.2 |
Related Weaknesses (CWE)
References
- https://github.com/roxy-wi/roxy-wi/blob/v8.2.8.2/app/modules/roxywi/auth.pyProduct
- https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92mExploitVendor Advisory
- https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92mExploitVendor Advisory
FAQ
What is CVE-2026-33432?
CVE-2026-33432 is a vulnerability with a CVSS score of 9.1 (CRITICAL). Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search f...
How severe is CVE-2026-33432?
CVE-2026-33432 has been rated CRITICAL with a CVSS base score of 9.1/10. This is considered a critical vulnerability requiring immediate attention.
Is there a patch for CVE-2026-33432?
Check the references section above for vendor advisories and patch information. Affected products include: Roxy-Wi Roxy-Wi.