Cyber Resilience

CVE-2026-33432

HighPublic PoC

Published: 20 April 2026

Published
20 April 2026
Modified
24 April 2026
KEV Added
Patch
CVSS Score v4 7.7 CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
EPSS Score 0.0042 33.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-33432 is a high-severity Improper Authentication (CWE-287) vulnerability in Roxy-Wi Roxy-Wi. Its CVSS base score is 7.7 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 33.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 RA-5 (Vulnerability Monitoring and Scanning) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-33432 is an LDAP injection vulnerability in Roxy-WI, a web interface for managing HAProxy, Nginx, Apache, and Keepalived servers. The flaw affects versions up to and including 8.2.8.2 when LDAP authentication is enabled. Roxy-WI improperly constructs LDAP search filters by directly concatenating user-supplied login usernames without escaping special LDAP characters, allowing filter manipulation.

An unauthenticated remote attacker can exploit this vulnerability by injecting LDAP filter metacharacters into the username field during login attempts. This manipulates the LDAP search query to return an unintended user entry from the directory, bypassing authentication entirely and granting access to the Roxy-WI application without a valid password. The CVSS 3.1 base score of 9.1 reflects network accessibility, low complexity, no privileges or user interaction required, and high impacts on confidentiality and integrity.

The GitHub security advisory (GHSA-hv3x-4w38-r92m) details the issue in the authentication module (app/modules/roxywi/auth.py). As of publication, no patches are available, so administrators should disable LDAP authentication if possible or monitor for updates from the Roxy-WI project.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions up to and including 8.2.8.2, when LDAP authentication is enabled, Roxy-WI constructs an LDAP search filter by directly concatenating the user-supplied login username into the…

more

filter string without escaping LDAP special characters. An unauthenticated attacker can inject LDAP filter metacharacters into the username field to manipulate the search query, cause the directory to return an unintended user entry, and bypass authentication entirely — gaining access to the application without knowing any valid password. As of time of publication, no known patches are available.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
Why these techniques?

The vulnerability is an LDAP injection in a public-facing web interface (Roxy-WI), enabling unauthenticated remote attackers to bypass authentication by exploiting improper LDAP filter construction, directly mapping to exploitation of public-facing applications.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-33076Same product: Roxy-Wi Roxy-Wi
CVE-2026-33078Same product: Roxy-Wi Roxy-Wi
CVE-2026-33208Same product: Roxy-Wi Roxy-Wi
CVE-2026-27811Same product: Roxy-Wi Roxy-Wi
CVE-2026-22265Same product: Roxy-Wi Roxy-Wi
CVE-2026-33077Same product: Roxy-Wi Roxy-Wi
CVE-2025-1044Shared CWE-287
CVE-2026-1740Shared CWE-287
CVE-2026-7022Shared CWE-287
CVE-2024-13111Shared CWE-287

Affected Assets

roxy-wi
roxy-wi
≤ 8.2.8.2

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Directly requires validation of user-supplied username inputs to block or escape LDAP metacharacters, preventing filter manipulation and authentication bypass.

prevent

Mandates timely identification, reporting, and remediation of flaws like this LDAP injection vulnerability, including monitoring for and applying vendor patches.

detectrespond

Requires vulnerability scanning that identifies LDAP injection flaws in applications like Roxy-WI, enabling risk assessment and remediation.

References