Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.
References
| Link | Resource |
|---|---|
| https://github.com/roxy-wi/roxy-wi/blob/v8.2.8.2/app/modules/roxywi/auth.py | Product |
| https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m | Exploit Vendor Advisory |
| https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m | Exploit Vendor Advisory |
Configurations
History
24 Apr 2026, 19:18
| Type | Values Removed | Values Added |
|---|---|---|
| CPE | cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:* | |
| CWE | NVD-CWE-noinfo | |
| References | () https://github.com/roxy-wi/roxy-wi/blob/v8.2.8.2/app/modules/roxywi/auth.py - Product | |
| References | () https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m - Exploit, Vendor Advisory | |
| CVSS |
v2 : v3 : |
v2 : unknown
v3 : 9.1 |
| First Time |
Roxy-wi roxy-wi
Roxy-wi |
21 Apr 2026, 18:16
| Type | Values Removed | Values Added |
|---|---|---|
| References | () https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m - |
20 Apr 2026, 21:16
| Type | Values Removed | Values Added |
|---|---|---|
| New CVE |
Information
Published : 2026-04-20 21:16
Updated : 2026-04-24 19:18
NVD link : CVE-2026-33432
Mitre link : CVE-2026-33432
CVE.ORG link : CVE-2026-33432
JSON object : View
Products Affected
roxy-wi
- roxy-wi
CWE