CVE-2026-33432 HIGH

CVE-2026-33432: Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass

Vendor Roxy-Wi
Product roxy-wi
Weakness CWE-287 · Improper authentication
Published April 20, 2026
Last update April 21, 2026

CVSS base score

7.7/10
Attack vector Network
Attack complexity Low
Privileges required None
User interaction None
Confidentiality
Integrity

CVSS vector

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P

What the vulnerability does

01Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.

Key dates

02Disclosure timeline

April 20, 2026 CVE published
April 21, 2026 Record updated