CVE-2026-45559
Received Received - Intake
LDAP Injection in Roxy-WI Web Interface

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim β€” no checkAjaxInput, no LDAP escape β€” and inserted, a username like *)(mail=*)(cn=* injects additional clauses, allowing the admin to enumerate or harvest attributes outside the intended record. At time of publication, there are no publicly available patches.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-10
AI Q&A
2026-06-10
EPSS Evaluated
N/A
NVD
CVE-2026-45559
EUVD
EUVD-2026-36040
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
roxy-wi roxy-wi to 8.2.6.4 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-90 The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Mitigation Strategies

Immediate mitigation involves restricting or monitoring admin-level access to the `/user/ldap/<username>` endpoint to prevent exploitation.

Since no public patches are available at the time of publication, administrators should avoid using untrusted input directly in LDAP queries.

A recommended mitigation is to implement input sanitization by escaping LDAP filter characters using functions like `ldap.filter.escape_filter_chars` to neutralize special characters in the username parameter.

Additionally, review and limit delegation of admin privileges to reduce the risk of exploitation by less trusted users.

Monitoring logs for unusual LDAP queries or unexpected attribute enumeration can also help detect exploitation attempts.

Executive Summary

CVE-2026-45559 is a moderate-severity LDAP injection vulnerability in the Roxy-WI software, specifically affecting versions 8.2.6.4 and earlier.

The vulnerability exists in the /user/ldap/<username> endpoint, which is accessible only to admin-level users.

The issue arises because the username parameter is directly inserted into an LDAP search filter using f-string concatenation without proper sanitization or escaping.

An attacker with admin privileges can craft a malicious username containing LDAP metacharacters (for example, *)(mail=*)(cn=*) to inject additional clauses into the LDAP query.

This injection allows the attacker to bypass intended restrictions and enumerate or harvest LDAP attributes outside the intended record.

Impact Analysis

This vulnerability can lead to unauthorized disclosure of sensitive LDAP directory information.

An attacker with admin privileges can exploit the flaw to enumerate or harvest LDAP attributes beyond what is intended, potentially exposing confidential data such as email addresses and common names.

In environments where admin roles are delegated or shared, this could result in broader exposure of the entire LDAP directory.

The CVSS v3.1 base score of 4.9 reflects a moderate severity with a high confidentiality impact, meaning the main risk is unauthorized data access.

Detection Guidance

This vulnerability can be detected by testing the `/user/ldap/<username>` endpoint with specially crafted usernames containing LDAP metacharacters such as `*)(mail=*)(cn=*` to see if the system returns unauthorized LDAP attributes.

Since the vulnerability requires admin-level access, detection involves verifying if an admin user can inject LDAP filter clauses via the username parameter.

A practical approach is to perform an LDAP injection test by sending requests to the endpoint with payloads that include LDAP special characters and observing if additional LDAP attributes are returned.

  • Use curl or similar tools to send a request to the vulnerable endpoint, for example:
  • curl -k -u admin:password "https://<roxy-wi-server>/user/ldap/*)(mail=*)(cn=*"
  • Analyze the response for unexpected LDAP attributes like mail or cn that indicate successful injection.
Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-45559. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart