LDAP Injection Vulnerability in Roxy-WI Web Interface for Haproxy, Nginx, Apache and Keepalived
CVE-2026-45559

4.9MEDIUM

Key Information:

Vendor

Roxy-wi

Status
Vendor
CVE Published:
10 June 2026

What is CVE-2026-45559?

The Roxy-WI web interface facilitates management of various web servers but contains a vulnerability in its handling of LDAP queries. In versions 8.2.6.4 and earlier, the application directly concatenates user input from the username URL path parameter into the LDAP search filter without proper validation or escaping. This allows malicious actors to manipulate the filter through crafted usernames, potentially gaining unauthorized access to sensitive user attributes. As of now, there are no known patches available to rectify this issue, highlighting the urgent need for users to review their security measures.

Affected Version(s)

roxy-wi <= 8.2.6.4

References

CVSS V3.1

Score:
4.9
Severity:
MEDIUM
Confidentiality:
High
Integrity:
None
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
High
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.