CVE-2026-33432— Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass

Roxy-WI has Pre-Authentication LDAP Injection that Leads to Authentication Bypass

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.

N/A

认证机制不恰当

Roxy-WI 安全漏洞

Roxy-WI是Roxy-WI开源的一款用于管理 Haproxy、Nginx 和 Keepalived 服务器的 Web 界面。 Roxy-WI 8.2.8.2及之前版本存在安全漏洞，该漏洞源于LDAP身份验证时未对用户名中的特殊字符进行转义，可能导致身份验证绕过。

N/A

N/A