Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Primary rating from GitHub Advisory · only source for this CVE.
CVSS VectorGitHub Advisory
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
Lifecycle Timeline
6DescriptionGitHub Advisory
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely - gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.
AnalysisAI
LDAP injection in Roxy-WI web management interface (all versions through 8.2.8.2) allows complete authentication bypass when LDAP authentication is enabled. Unauthenticated remote attackers can inject LDAP filter metacharacters into the username field to manipulate directory queries and access the application without valid credentials. Proof-of-concept code exists (CVSS:4.0 E:P). No vendor patch available at time of publication, affecting production deployments managing Haproxy, Nginx, Apache, and Keepalived infrastructure.
Technical ContextAI
Roxy-WI (cpe:2.3:a:roxy-wi:roxy-wi) is a centralized web interface for managing reverse proxies and load balancers. The vulnerability stems from CWE-287 (Improper Authentication) manifesting as LDAP injection. When LDAP authentication is configured, the application constructs search filters by directly concatenating user input from the login form into LDAP query strings without sanitizing special characters such as parentheses, asterisks, or ampersands. LDAP filter syntax uses these characters for logical operations (AND/OR/NOT) and wildcards. By injecting metacharacters like '*)(objectClass=*' into the username field, an attacker can prematurely close the intended filter condition and append tautological clauses that cause the directory to return arbitrary user entries. The authentication logic then validates against this manipulated result set rather than the legitimate user credential, bypassing password verification entirely. This is analogous to SQL injection but targeting LDAP directory queries. Reference implementation visible in app/modules/roxywi/auth.py at tag v8.2.8.2 shows unsanitized string concatenation in filter construction.
RemediationAI
No vendor-released patch identified at time of analysis per GitHub security advisory GHSA-hv3x-4w38-r92m. Organizations must implement immediate compensating controls: (1) Disable LDAP authentication and migrate to local user authentication until a patch is released - this eliminates the vulnerable code path but requires manual user account migration and loses centralized directory integration benefits; (2) Deploy network-layer access controls restricting Roxy-WI login interface to trusted IP ranges or VPN-only access - reduces attacker surface but does not prevent insider threats or attacks from compromised trusted networks; (3) Implement web application firewall rules to detect and block LDAP metacharacters (parentheses, asterisks, ampersands, pipes) in username fields - may cause false positives if legitimate usernames contain these characters in your directory schema; (4) Deploy intrusion detection monitoring for repeated authentication attempts with special characters in username fields and multiple successful logins from single source IPs - provides detection but not prevention. Monitor vendor advisory https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-hv3x-4w38-r92m for patch release announcements. Given the infrastructure-critical nature of managed services, consider temporarily disabling internet-facing access and requiring VPN/bastion access as most effective interim control.
The ngx_http_parse_chunked function in http/ngx_http_parse.c in nginx 1.3.9 through 1.4.0 allows remote attackers to cau
A critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
nginx 0.8.41 through 1.4.3 and 1.5.x before 1.5.7 allows remote attackers to bypass intended restrictions via an unescap
An issue was discovered on GL.iNet devices before version 4.5.0. Rated critical severity (CVSS 9.8), this vulnerability
Nginx versions since 0.5.6 up to and including 1.13.2 are vulnerable to integer overflow vulnerability in nginx range fi
The resolver in nginx before 1.8.1 and 1.9.x before 1.9.10 allows remote attackers to cause a denial of service (invalid
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. Rated critical severity (CVSS 9.8
The STARTTLS implementation in mail/ngx_mail_smtp_handler.c in the SMTP proxy in nginx 1.5.x and 1.6.x before 1.6.1 and
Heap buffer overflow in NGINX Plus and NGINX Open Source ngx_http_rewrite_module allows remote attackers to crash worker
Same weakness CWE-287 – Improper Authentication
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-23968