Skip to main content

Roxy-WI CVE-2026-45559

| EUVDEUVD-2026-36040 MEDIUM
LDAP Injection (CWE-90)
2026-06-10 GitHub_M
4.9
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.9 MEDIUM
AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
Analysis Generated
Jun 10, 2026 - 15:22 vuln.today
CVE Published
Jun 10, 2026 - 14:02 nvd
MEDIUM 4.9

DescriptionNVD

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim - no checkAjaxInput, no LDAP escape - and inserted, a username like *)(mail=*)(cn=* injects additional clauses, allowing the admin to enumerate or harvest attributes outside the intended record. At time of publication, there are no publicly available patches.

AnalysisAI

LDAP injection in Roxy-WI 8.2.6.4 and prior exposes LDAP directory attributes to authenticated administrators who can manipulate search filter logic via the username URL path parameter. The vulnerable function get_ldap_email (app/modules/roxywi/user.py:120-157) constructs LDAP queries through unsanitized f-string concatenation, enabling injection of additional filter clauses such as *)(mail=*)(cn=* to enumerate or harvest attributes beyond the intended user record. No patch is available at time of publication, and no public exploit identified at time of analysis.

Technical ContextAI

Roxy-WI is a Python-based web management interface for load balancer and proxy server stacks including HAProxy, Nginx, Apache, and Keepalived. The vulnerability is classified as CWE-90 (Improper Neutralization of Special Elements Used in an LDAP Query), a class of injection flaw where LDAP metacharacters - parentheses, asterisks, null bytes - are used to alter the logical structure of a search filter. The specific sink is the get_ldap_email function at lines 120-157 of app/modules/roxywi/user.py, which takes a username from the URL path parameter and directly interpolates it into an LDAP search filter string using a Python f-string, bypassing the checkAjaxInput validation and any LDAP-specific escaping. The affected CPE is cpe:2.3:a:roxy-wi:roxy-wi:*:*:*:*:*:*:*:* covering all versions up to and including 8.2.6.4. LDAP filter injection can manipulate AND/OR logic, broaden result sets, and return attributes outside the intended attribute scope, effectively allowing directory enumeration.

RemediationAI

No vendor-released patch has been identified at time of analysis - the advisory explicitly states no publicly available patches exist as of publication. Organizations should consider disabling LDAP authentication integration in Roxy-WI entirely if it is not operationally required, eliminating the vulnerable code path at the cost of LDAP-based user management. If LDAP authentication must remain active, restrict Roxy-WI administrative access to a minimal, audited set of trusted accounts and enforce network-layer controls limiting access to the Roxy-WI interface to known management hosts only - this does not eliminate the vulnerability but reduces the risk of a compromised admin account being used to exploit it. Monitor the GitHub repository at https://github.com/roxy-wi/roxy-wi/security/advisories/GHSA-2257-7mhp-grqp for patch availability and apply any released fix promptly once a patched version is published.

More in LDAP

View all
CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2017-14596 CRITICAL POC
9.8 Sep 20

In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,

CVE-2017-8790 CRITICAL POC
9.8 May 05

An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2020-36966 MEDIUM POC
6.4 Jan 30

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at

CVE-2025-36556 MEDIUM POC
6.1 Jan 20

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6

CVE-2026-23906 CRITICAL
9.8 Feb 10

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p

CVE-2026-44930 CRITICAL
9.8 May 22

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)

CVE-2024-33868 CRITICAL
9.8 May 14

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-6905 CRITICAL
9.8 Dec 18

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i

CVE-2021-43350 CRITICAL
9.8 Nov 11

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P

CVE-2026-21880 MEDIUM POC
5.3 Jan 08

Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au

Share

CVE-2026-45559 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy