CVE-2026-33432
LDAP Injection in Roxy-WI Allows Unauthenticated Authentication Bypass
Publication date: 2026-04-20
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| roxy-wi | roxy-wi | to 8.2.8.2 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-287 | When an actor claims to have a given identity, the product does not prove or insufficiently proves that the claim is correct. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by attempting to exploit the LDAP injection flaw in the Roxy-WI login process. Specifically, you can test if the LDAP authentication filter is vulnerable by sending crafted login requests with usernames containing LDAP filter metacharacters to see if authentication can be bypassed.
A practical detection method involves sending a POST request to the Roxy-WI login endpoint with a malicious username such as ")(|(uid=)" or "*" and any password, then observing if the application grants access without valid credentials.
Example command using curl to test the vulnerability (replace URL and parameters accordingly):
- curl -X POST https://your-roxy-wi-instance/login -d 'username=*)(uid=)&password=anypassword'
If the response indicates successful authentication or returns a valid JWT token despite invalid credentials, the system is vulnerable.
Additionally, monitoring LDAP search filters in logs (if accessible) for unescaped user input or unusual filter patterns can help detect exploitation attempts.
Can you explain this vulnerability to me?
This vulnerability exists in Roxy-WI versions up to and including 8.2.8.2 when LDAP authentication is enabled. The application constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters.
An unauthenticated attacker can exploit this by injecting LDAP filter metacharacters into the username field. This manipulation causes the LDAP directory to return an unintended user entry, allowing the attacker to bypass authentication entirely and gain access to the application without knowing any valid password.
As of the time of publication, no known patches are available to fix this issue.
How can this vulnerability impact me? :
This vulnerability allows an unauthenticated attacker to bypass authentication and gain unauthorized access to the Roxy-WI application.
Such unauthorized access can lead to potential control or manipulation of the management interface for Haproxy, Nginx, Apache, and Keepalived servers, which could result in further compromise of the underlying infrastructure.
What immediate steps should I take to mitigate this vulnerability?
As of the time of publication, no known patches are available for this vulnerability.
To mitigate the risk, you should consider disabling LDAP authentication in Roxy-WI until a patch or fix is released.
Additionally, restrict access to the Roxy-WI interface to trusted networks or users only, to reduce the attack surface.
Monitor access logs for any suspicious login attempts that may indicate exploitation attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows an unauthenticated attacker to bypass authentication and gain unauthorized access to the Roxy-WI application by injecting LDAP filter metacharacters. Such unauthorized access can lead to exposure or manipulation of sensitive data managed through the application.
As a result, organizations using affected versions of Roxy-WI may face compliance risks with standards and regulations like GDPR and HIPAA, which require strict access controls and protection of personal and sensitive data.
Failure to prevent unauthorized access due to this vulnerability could lead to violations of these regulations, potentially resulting in legal penalties, data breaches, and loss of trust.