Main Vulnerability Database Vulnerabilities #VU126546

LDAP injection in Roxy-WI - CVE-2026-33432

Published: April 20, 2026

Vulnerability identifier: #VU126546

CSH Severity: High

CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Amber

CVE-ID: CVE-2026-33432

CWE-ID: CWE-90

Exploitation vector: Remote access

Exploit availability: No public exploit available

Vendor: Roxy-WI

Affected software:
Roxy-WI

Detailed vulnerability description

The vulnerability allows a remote attacker to bypass authentication.

The vulnerability exists due to LDAP injection in app/modules/roxywi/auth.py when processing login requests with a user-supplied username in an LDAP search filter. A remote attacker can send a specially crafted login request to bypass authentication.

Only instances with LDAP authentication enabled are vulnerable. If the LDAP server allows anonymous binds or unauthenticated simple binds, exploitation may succeed without a password.

How to mitigate CVE-2026-33432

Install security update from vendor's website.

Sources

https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m

LDAP injection in Roxy-WI - CVE-2026-33432

Detailed vulnerability description

How to mitigate CVE-2026-33432

Sources

Please verify you're human