VYPR
← All advisories
Medium severity4.9NVD Advisory· Published Jun 10, 2026· Updated Jun 10, 2026

CVE-2026-45559

CVE-2026-45559

Description

Roxy-WI versions prior to 8.2.6.4 are vulnerable to LDAP injection via the get_ldap_email function, allowing admins to enumerate LDAP attributes.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

Roxy-WI versions prior to 8.2.6.4 are vulnerable to LDAP injection via the get_ldap_email function, allowing admins to enumerate LDAP attributes.

Vulnerability

Roxy-WI versions 8.2.6.4 and prior contain an LDAP injection vulnerability in the get_ldap_email function located in app/modules/roxywi/user.py. The function constructs an LDAP search filter using an f-string that directly incorporates the username URL path parameter without proper sanitization or escaping. This allows for the injection of additional LDAP clauses into the search filter.

Exploitation

An attacker with admin-level 2 privileges can exploit this vulnerability by sending a crafted request to the /user/ldap/ endpoint. By providing a username containing LDAP metacharacters, such as *)(mail=*)(cn=*, the attacker can inject additional search criteria. This allows them to enumerate or harvest attributes from LDAP records beyond the intended scope of the application's functionality [1].

Impact

Successful exploitation allows an administrator to enumerate the LDAP directory beyond what the application intends to expose. In environments where the admin role is delegated, this could lead to the exposure of the operator's LDAP corpus, potentially revealing sensitive information within the directory.

Mitigation

At the time of publication, there are no publicly available patches for this vulnerability. The recommended fix involves properly escaping LDAP metacharacters in the username parameter before incorporating it into the LDAP search filter. Roxy-WI is listed as a potential target for exploitation, but no specific remediation steps or fixed versions have been disclosed in the available references [1].

References
  1. LDAP injection in /user/ldap/<username> (admin-only)

AI Insight generated on Jun 10, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Affected products

2
  • Roxy Wi/Roxy Wiinferred2 versions
    <=8.2.6.4+ 1 more
    • (no CPE)range: <=8.2.6.4
    • (no CPE)range: <=8.2.6.4

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"The application improperly constructs LDAP search filters by directly concatenating user-supplied input."

Attack vector

An administrator-level user can trigger this vulnerability by sending a crafted username in the URL path parameter to the `/user/ldap/<username>` endpoint. The username, such as `*)(mail=*)(cn=*`, is inserted directly into an LDAP filter string without proper sanitization or escaping. This allows the attacker to inject additional LDAP query clauses, enabling them to enumerate or harvest attributes beyond the intended scope [ref_id=1]. The proof of concept demonstrates this by using `curl` to send the malicious username to the target URL [ref_id=1].

Affected code

The vulnerability resides in the `get_ldap_email` function located in `app/modules/roxywi/user.py` (lines 120-157). This function constructs the LDAP search filter using an f-string that directly incorporates the `username` URL path parameter. The affected route is defined in `app/routes/user/routes.py` (lines 39-47), which calls `get_ldap_email` with the user-provided username [ref_id=1].

What the fix does

The advisory indicates that the fix involves properly escaping special characters within the username before it is used in the LDAP search filter. The proposed patch uses `ldap.filter.escape_filter_chars` to sanitize the `ldap_class_search`, `ldap_user_attribute`, and `username` variables. This ensures that any characters that could be interpreted as LDAP filter metacharacters are treated as literal characters, preventing the injection of additional clauses and thus closing the vulnerability [ref_id=1]. At the time of publication, no patches were publicly available.

Preconditions

  • authThe attacker must have administrator-level privileges (level=2, any group admin) [ref_id=1].
  • networkThe attacker must be able to send HTTP requests to the vulnerable Roxy-WI instance.
  • inputThe attacker must provide a specially crafted username containing LDAP filter metacharacters.

Reproduction

curl -sb /tmp/admin.jar 'http://victim.example/user/ldap/*)(mail=*)(cn=*' [ref_id=1]

Generated on Jun 10, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.