Critical severity9.1NVD Advisory· Published Apr 20, 2026· Updated Apr 24, 2026

CVE-2026-33432

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.

Affected products

Roxy Wi/Roxy Wi
cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:*
Range: <=8.2.8.2

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92mnvdExploitVendor Advisory
github.com/roxy-wi/roxy-wi/blob/v8.2.8.2/app/modules/roxywi/auth.pynvdProduct

News mentions

No linked articles in our index yet.

cvss	0.591
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000