Skip to main content

Apache CVE-2026-33432

| EUVDEUVD-2026-23968 HIGH
Improper Authentication (CWE-287)
2026-04-20 GitHub_M
7.7
CVSS 4.0 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
7.7 HIGH
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
X

Lifecycle Timeline

6
Re-analysis Queued
Apr 21, 2026 - 16:22 vuln.today
cvss_changed
Analysis Generated
Apr 20, 2026 - 21:44 vuln.today
CVSS changed
Apr 20, 2026 - 21:22 NVD
7.7 (HIGH)
EUVD ID Assigned
Apr 20, 2026 - 21:15 euvd
EUVD-2026-23968
Analysis Generated
Apr 20, 2026 - 21:15 vuln.today
CVE Published
Apr 20, 2026 - 20:26 nvd
HIGH 7.7

DescriptionGitHub Advisory

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely - gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.

AnalysisAI

LDAP injection in Roxy-WI web management interface (all versions through 8.2.8.2) allows complete authentication bypass when LDAP authentication is enabled. Unauthenticated remote attackers can inject LDAP filter metacharacters into the username field to manipulate directory queries and access the application without valid credentials. Proof-of-concept code exists (CVSS:4.0 E:P). No vendor patch available at time of publication, affecting production deployments managing Haproxy, Nginx, Apache, and Keepalived infrastructure.

Technical ContextAI

Roxy-WI (cpe:2.3:a:roxy-wi:roxy-wi) is a centralized web interface for managing reverse proxies and load balancers. The vulnerability stems from CWE-287 (Improper Authentication) manifesting as LDAP injection. When LDAP authentication is configured, the application constructs search filters by directly concatenating user input from the login form into LDAP query strings without sanitizing special characters such as parentheses, asterisks, or ampersands. LDAP filter syntax uses these characters for logical operations (AND/OR/NOT) and wildcards. By injecting metacharacters like '*)(objectClass=*' into the username field, an attacker can prematurely close the intended filter condition and append tautological clauses that cause the directory to return arbitrary user entries. The authentication logic then validates against this manipulated result set rather than the legitimate user credential, bypassing password verification entirely. This is analogous to SQL injection but targeting LDAP directory queries. Reference implementation visible in app/modules/roxywi/auth.py at tag v8.2.8.2 shows unsanitized string concatenation in filter construction.

RemediationAI

No vendor-released patch identified at time of analysis per GitHub security advisory GHSA-hv3x-4w38-r92m. Organizations must implement immediate compensating controls: (1) Disable LDAP authentication and migrate to local user authentication until a patch is released - this eliminates the vulnerable code path but requires manual user account migration and loses centralized directory integration benefits; (2) Deploy network-layer access controls restricting Roxy-WI login interface to trusted IP ranges or VPN-only access - reduces attacker surface but does not prevent insider threats or attacks from compromised trusted networks; (3) Implement web application firewall rules to detect and block LDAP metacharacters (parentheses, asterisks, ampersands, pipes) in username fields - may cause false positives if legitimate usernames contain these characters in your directory schema; (4) Deploy intrusion detection monitoring for repeated authentication attempts with special characters in username fields and multiple successful logins from single source IPs - provides detection but not prevention. Monitor vendor advisory https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m for patch release announcements. Given the infrastructure-critical nature of managed services, consider temporarily disabling internet-facing access and requiring VPN/bastion access as most effective interim control.

More in Nginx

View all
CVE-2013-2028 HIGH POC
7.5 Jul 20

The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau

CVE-2025-1974 CRITICAL POC
9.8 Mar 25

A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access

CVE-2013-4547 HIGH POC
7.5 Nov 23

nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap

CVE-2023-50919 CRITICAL POC
9.8 Jan 12

An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability

CVE-2017-7529 HIGH
7.5 Jul 13

Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi

CVE-2016-0742 HIGH
7.5 Feb 15

The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid

CVE-2025-1098 HIGH POC
8.8 Mar 25

Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress

CVE-2025-24514 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres

CVE-2025-1097 HIGH POC
8.8 Mar 25

A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c

CVE-2022-31137 CRITICAL POC
9.8 Jul 08

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8

CVE-2014-3556 MEDIUM
6.8 Dec 29

The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and

CVE-2026-42945 CRITICAL POC
9.2 May 13

Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker

Share

CVE-2026-33432 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy