CVE-2026-33432

Name of the Vulnerable Software and Affected Versions Roxy-WI versions prior to 8.2.8.3

Description When LDAP authentication is enabled, the application constructs an LDAP search filter by directly concatenating the user-supplied username into the filter string without escaping special characters. This allows an unauthenticated attacker to inject LDAP filter metacharacters into the username field to manipulate the search query and cause the directory to return an unintended user entry, resulting in a complete authentication bypass.

Recommendations At the moment, there is no information about a newer version that contains a fix for this vulnerability.