LDAP Injection Vulnerability in Roxy-WI Web Interface for Haproxy, Nginx, Apache and Keepalived
CVE-2026-45559
4.9MEDIUM
What is CVE-2026-45559?
The Roxy-WI web interface facilitates management of various web servers but contains a vulnerability in its handling of LDAP queries. In versions 8.2.6.4 and earlier, the application directly concatenates user input from the username URL path parameter into the LDAP search filter without proper validation or escaping. This allows malicious actors to manipulate the filter through crafted usernames, potentially gaining unauthorized access to sensitive user attributes. As of now, there are no known patches available to rectify this issue, highlighting the urgent need for users to review their security measures.
Affected Version(s)
roxy-wi <= 8.2.6.4
