Netatalk Security Advisory
| Subject | SQL injection in MySQL CNID backend |
|---|---|
| CVE ID# | CVE-2026-44047 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.1.0 - 4.4.2 |
| Summary | The MySQL CNID backend interpolates AFP-controlled filenames into SQL queries, allowing authenticated clients to execute arbitrary SQL against the CNID database |
Description
The MySQL CNID backend did not safely separate client-provided filenames from database queries. In deployments using this backend, an authenticated AFP client may be able to alter CNID database queries and affect database confidentiality, integrity, or availability.
Patch Availability
Apply CVE-2026-44047.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H (8.8)
Workaround
Disable the MySQL CNID backend or restrict AFP access to trusted users until patched.
Credits
Vulnerability reported by:
@00redbeer
Independently discovered and reported by:
Tristan (@TristanInSec)
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
