CVE-2026-33432

CriticalPublic PoC

Published: 20 April 2026

Published

20 April 2026

Modified

24 April 2026

KEV Added

—

Patch

—

CVSS Score 9.1 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N

EPSS Score 0.0014 33.8th percentile

Risk Priority 18 60% EPSS · 20% KEV · 20% CVSS

Description

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the…

filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.

Mitigating Controls (NIST 800-53 r5)AI

SI-10 Information Input Validation good match

prevent

Directly requires validation of user-supplied username inputs to block or escape LDAP metacharacters, preventing filter manipulation and authentication bypass.

SI-2 Flaw Remediation good match

prevent

Mandates timely identification, reporting, and remediation of flaws like this LDAP injection vulnerability, including monitoring for and applying vendor patches.

RA-5 Vulnerability Monitoring and Scanning good match

detectrespond

Requires vulnerability scanning that identifies LDAP injection flaws in applications like Roxy-WI, enabling risk assessment and remediation.

Security SummaryAI

CVE-2026-33432 is an LDAP injection vulnerability in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. The flaw affects versions up to and including 8.2.8.2 when LDAP authentication is enabled. Roxy-WI improperly constructs LDAP search filters by directly concatenating user-supplied login usernames without escaping special LDAP characters, allowing filter manipulation.

An unauthenticated remote attacker can exploit this vulnerability by injecting LDAP filter metacharacters into the username field during login attempts. This manipulates the LDAP search query to return an unintended user entry from the directory, bypassing authentication entirely and granting access to the Roxy-WI application without a valid password. The CVSS 3.1 base score of 9.1 reflects network accessibility, low complexity, no privileges or user interaction required, and high impacts on confidentiality and integrity.

The GitHub security advisory (GHSA-hv3x-4w38-r92m) details the issue in the authentication module (app/modules/roxywi/auth.py). As of publication, no patches are available, so administrators should disable LDAP authentication if possible or monitor for updates from the Roxy-WI project.

Details

CWE(s): CWE-287 NVD-CWE-noinfo

Affected Products

roxy-wi

≤ 8.2.8.2

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access

Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.

attack.mitre.org →

Why these techniques?

The vulnerability is an LDAP injection in a public-facing web interface (Roxy-WI), enabling unauthenticated remote attackers to bypass authentication by exploiting improper LDAP filter construction, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

References

https://github.com/roxy-wi/roxy-wi/blob/v8.2.8.2/app/modules/roxywi/auth.py
Product · security-advisories@github.com
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m
Exploit, Vendor Advisory · security-advisories@github.com
https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m
Exploit, Vendor Advisory · 134c704f-9b21-4f2e-91b3-4a467353bcc0