CVE-2026-45559— Roxy-WI: LDAP injection in /user/ldap/<username> (admin-only)
Possible ATT&CK Techniques 1AI
T1190 · Exploit Public-Facing ApplicationGet alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-45559
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
Roxy-WI: LDAP injection in /user/ldap/<username> (admin-only)
Source: NVD (National Vulnerability Database)
Vulnerability Description
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim — no checkAjaxInput, no LDAP escape — and inserted, a username like *)(mail=*)(cn=* injects additional clauses, allowing the admin to enumerate or harvest attributes outside the intended record. At time of publication, there are no publicly available patches.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
LDAP查询中使用的特殊元素转义处理不恰当(LDAP注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
Roxy-WI 注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
Roxy-WI是Roxy-WI开源的一款用于管理 Haproxy、Nginx 和 Keepalived 服务器的 Web 界面。 Roxy-WI 8.2.6.4及之前版本存在注入漏洞,该漏洞源于get_ldap_email函数通过f字符串拼接构建LDAP搜索过滤器,用户名URL路径参数未经检查直接插入,可能导致管理员枚举或收集预期记录之外的属性。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-45559
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-45559
请登录查看更多情报信息。
Vendor Advisories for CVE-2026-45559 (1)
Same Patch Batch · roxy-wi · 2026-06-10 · 14 CVEs total
| CVE-2026-45556 | 9.9 CRITICAL | Roxy-WI: Authenticated arbitrary file write on every managed load balancer (and downstream |
| CVE-2026-45558 | 9.9 CRITICAL | Roxy-WI: Authenticated RCE on every managed HAProxy load balancer via `option` field confi |
| CVE-2026-45552 | 9.9 CRITICAL | Roxy-WI: Cross-tenant authorization bypass on /install/* — guest can run Ansible / SSH on |
| CVE-2026-45550 | 9.1 CRITICAL | Roxy-WI: IDOR on PUT /smon/check — any user can rewrite any tenant's monitoring URL/IP/bod |
| CVE-2026-45564 | 8.8 HIGH | Roxy-WI: Authenticated RCE via 'configver' URL parameter (os.system sink in /config/versio |
| CVE-2026-45549 | 8.5 HIGH | Roxy-WI: Authorization bypass on POST /smon/agent/action/<action> — guest can stop or rest |
| CVE-2026-45567 | 8.3 HIGH | Roxy-WI: Authentication bypass via 'api' substring in URL + unauthenticated /api/gpt |
| CVE-2026-45569 | 8.1 HIGH | Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op (tuple-membership bug) |
| CVE-2026-45565 | 8.1 HIGH | Roxy-WI: EscapedString validator skips its '..' block when stripping (root cause for sever |
| CVE-2026-45561 | 6.5 MEDIUM | Roxy-WI: SSRF in /smon/agent/<endpoint>/<server_ip> reachable to cloud metadata IPs |
| CVE-2026-45566 | 6.1 MEDIUM | Roxy-WI: Open redirect on /login?next= via basic-auth userinfo syntax bypass |
| CVE-2026-45560 | 6.1 MEDIUM | Roxy-WI: Stored XSS in log viewer (wrap_line/highlight_word produce unescaped HTML) |
| CVE-2026-45563 | 4.3 MEDIUM | Roxy-WI: IDOR — any authenticated user can read another user's full action history |
IV. Related Vulnerabilities
Same product: roxy-wi
- CVE-2026-45569
Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op - CVE-2026-45567
Roxy-WI: Authentication bypass via 'api' substring in URL + - CVE-2026-45566
Roxy-WI: Open redirect on /login?next= via basic-auth userin - CVE-2026-45565
Roxy-WI: EscapedString validator skips its '..' block when s - CVE-2026-45564
Roxy-WI: Authenticated RCE via 'configver' URL parameter (os
Same vendor: roxy-wi
- CVE-2026-45569
Roxy-WI: Path-traversal patch in commit d4d10006 is a no-op - CVE-2026-45567
Roxy-WI: Authentication bypass via 'api' substring in URL + - CVE-2026-45566
Roxy-WI: Open redirect on /login?next= via basic-auth userin - CVE-2026-45565
Roxy-WI: EscapedString validator skips its '..' block when s - CVE-2026-45564
Roxy-WI: Authenticated RCE via 'configver' URL parameter (os
Same weakness: CWE-90
- CVE-2026-49268
Apache Shiro: LDAP DN Injection in DefaultLdapRealm - CVE-2026-42568
Yamcs Vulnerable to LDAP Injection in LdapAuthModule - CVE-2026-46745
Apache Airflow FAB provider: LDAP Filter Injection in FAB Au - CVE-2026-44930
Apache CXF: LDAP Injection vulnerability in XKMS LDAP Reposi - CVE-2026-44063
LDAP filter injection
V. Comments for CVE-2026-45559
No comments yet