CVE-2026-45559: LDAP Injection in Roxy-WI – Information Disclosure in Admin User Enumeration
Roxy-WI, a web management interface for HAProxy, Nginx, Apache, and Keepalived servers, contains an LDAP injection vulnerability in its user authentication module. An administrator can manipulate the username parameter to break out of the intended LDAP search filter and enumerate or extract sensitive user attributes—such as email addresses—that should remain hidden. The vulnerability exists because user input is directly concatenated into the LDAP query without proper sanitization or escaping. While exploitation requires administrative privileges, the attack is straightforward once access is obtained, making it a credential harvesting risk in multi-tenant or federated identity environments.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 4.9 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:N/A:N
- Weaknesses (CWE)
- CWE-90
- Affected products
- 0 configuration(s)
- Published / Modified
- 2026-06-10 / 2026-06-17
NVD description (verbatim)
Roxy-WI is a web interface for managing Haproxy, Nginx, Apache and Keepalived servers. In versions 8.2.6.4 and prior, get_ldap_email (app/modules/roxywi/user.py:120-157) builds the LDAP search filter via f-string concatenation. The username URL path parameter is taken verbatim — no checkAjaxInput, no LDAP escape — and inserted, a username like *)(mail=*)(cn=* injects additional clauses, allowing the admin to enumerate or harvest attributes outside the intended record. At time of publication, there are no publicly available patches.
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
The vulnerability resides in the get_ldap_email function (app/modules/roxywi/user.py, lines 120–157) of Roxy-WI versions 8.2.6.4 and prior. The function constructs an LDAP search filter using Python f-string concatenation, directly embedding a username derived from the URL path parameter without validation or LDAP DN escaping. An attacker with administrative access can inject LDAP filter syntax—for example, *)(mail=*)(cn=* —to break the search filter logic and inject arbitrary filter clauses. This allows enumeration of LDAP directory attributes beyond the intended user record. The vulnerability is classified as CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query), a well-known injection flaw pattern.
Business impact
In environments where Roxy-WI is integrated with LDAP-based identity systems (Active Directory, OpenLDAP, etc.), a compromised or malicious administrator can extract sensitive user information such as email addresses, full names, and other directory attributes. This can facilitate downstream social engineering, phishing campaigns, or credential harvesting attacks. Organizations relying on LDAP for centralized user management face a data confidentiality breach. The impact is heightened in security-conscious deployments where attribute enumeration should be strictly controlled. Additionally, the presence of an unauthenticated administrative account or credential compromise increases risk if Roxy-WI is exposed to untrusted networks.
Affected systems
Roxy-WI versions 8.2.6.4 and earlier are affected. Roxy-WI is used by operations teams to centralize management of HAProxy, Nginx, Apache, and Keepalived load balancers and proxy servers. Organizations running these infrastructure management deployments with LDAP authentication enabled are in scope. No official patches have been released as of the vulnerability publication date.
Exploitability
Exploitation requires valid administrative credentials to Roxy-WI; the vulnerability is not remotely exploitable by anonymous users. However, the attack itself is trivial once authenticated: an attacker simply crafts a malicious username string in the relevant API endpoint or web interface and observes LDAP query responses. No specialized tools, code execution, or complex multi-step exploitation is needed. The barrier to exploitation is administrative access, not technical sophistication. In environments where admin accounts are reused, shared, or compromised, risk increases materially.
Remediation
As of publication, no patches have been released. Organizations should implement compensating controls: (1) restrict LDAP query result verbosity and disable attribute disclosure in LDAP server policies; (2) enforce strict administrative access controls and multi-factor authentication for Roxy-WI admin accounts; (3) monitor LDAP query logs for anomalous filter patterns or attribute enumeration attempts; (4) consider disabling LDAP authentication in Roxy-WI if alternative identity providers are available; (5) isolate Roxy-WI to trusted networks and use network segmentation. Monitor SEC.co and official Roxy-WI advisories for patch availability.
Patch guidance
No patches are currently available. Monitor the Roxy-WI project repository and official security channels for a release that addresses the LDAP filter injection. When a patch is released, verify the fix explicitly neutralizes or escapes the username parameter before LDAP filter construction (e.g., using LDAP DN escaping libraries). Test thoroughly in a non-production environment before applying to production infrastructure. Until patching is feasible, implement the compensating controls outlined in the remediation section.
Detection guidance
Review Roxy-WI audit and access logs for administrative users performing unusual LDAP-related operations or querying user attributes in unexpected contexts. Monitor LDAP server logs for filter patterns containing special characters (e.g., asterisks, parentheses, pipe operators) in the cn or search filter field—particularly those that do not match expected legitimate queries. Implement logging at the LDAP server to capture filter strings and cross-reference with Roxy-WI activity logs. A spike in failed LDAP queries or unexpected attribute requests from Roxy-WI may signal reconnaissance activity. In containerized deployments, monitor for elevated or privileged admin session activity.
Why prioritize this
Although the CVSS score is medium (4.9) and authentication is required, the vulnerability enables unauthorized information disclosure of sensitive directory attributes in identity-critical infrastructure. In organizations where LDAP drives centralized user management and attribute confidentiality is a control requirement, this represents a notable governance and compliance risk. The ease of exploitation once authenticated and the lack of available patches argue for rapid compensating controls and continuous monitoring. Prioritize based on: (1) whether Roxy-WI is integrated with sensitive LDAP directories; (2) the strength of administrative access controls; (3) regulatory requirements for attribute confidentiality (e.g., HIPAA, GDPR, SOC 2).
Risk score, explained
The CVSS 3.1 score of 4.9 (MEDIUM) reflects that the attack requires high-privilege (PR:H) authentication and results in confidentiality loss (C:H) with no integrity or availability impact (I:N, A:N). The relatively low overall score is anchored by the authentication requirement and the narrow scope of impact (a single user's attributes). However, the score does not fully capture the strategic value of harvested LDAP attributes in targeted attacks or the regulatory sensitivity of identity data disclosure. Organizations in regulated industries or with strict identity governance policies should treat this vulnerability as a priority despite its medium score.
Frequently asked questions
Do I need administrative access to exploit this vulnerability?
Yes. The vulnerability can only be triggered by an authenticated Roxy-WI administrator. Unauthenticated remote exploitation is not possible. However, in environments where admin credentials are weak, shared, or compromised, the risk rises significantly.
What attributes can be harvested via LDAP injection here?
An attacker can enumerate or extract any LDAP attribute exposed by the directory server's access controls—typically including email addresses, full names, phone numbers, group memberships, and other user metadata. The exact risk depends on what your LDAP server exposes and how it enforces query filters.
Is there a patch available?
No. As of the publication date (June 10, 2026), no official patches have been released. Monitor the Roxy-WI project and vendor advisories for a fix. Until patching is available, deploy compensating controls such as stricter LDAP access policies and enhanced administrative access controls.
How does this affect my organization if we use Roxy-WI but not LDAP?
If Roxy-WI is configured with local authentication or non-LDAP identity providers (e.g., local user database, OAuth), this specific vulnerability does not apply. However, you should verify your authentication configuration and test for related injection flaws if custom authentication modules are in use.
This analysis is provided for informational purposes. No exploit code or weaponized proof-of-concept is included. Readers are responsible for verifying all patch information, CVE details, and affected versions against official vendor advisories before making remediation decisions. SEC.co makes no warranty regarding the completeness or accuracy of this intelligence and recommends independent verification. If you have additional information about exploitation in the wild or patch releases, please contact your security vendor or the Roxy-WI maintainers directly. Source: NVD (public-domain), retrieved 2026-07-19. Analysis generated by SEC.co (claude-haiku-4-5).
Weaknesses (CWE)
Related vulnerabilities
- CVE-2016-20064MEDIUMWP Vault 0.8.6.6 Arbitrary File Read via Directory Traversal
- CVE-2018-25384MEDIUMStored XSS in Wikidforum 2.20 Allows Authenticated Attackers to Inject Malicious Scripts
- CVE-2018-25387MEDIUMHaPe PKH 1.1 Cross-Site Request Forgery (CSRF) Admin Password Reset
- CVE-2018-25393MEDIUMNavigate CMS 2.8.5 Path Traversal Vulnerability (CVSS 6.5)
- CVE-2018-25397MEDIUMCSRF Vulnerability in PHP-SHOP 1.0 – Admin Account Injection
- CVE-2018-25421MEDIUMOpen STA Manager 2.3 Path Traversal File Download Vulnerability
- CVE-2018-25423MEDIUMBuffer Overflow Denial of Service in Arm Whois 3.11
- CVE-2018-25435MEDIUMZeusCart 4.0 CSRF Vulnerability – Account Deactivation Risk