Netatalk Security Advisory
| Subject | Arbitrary file read via attacker-controlled symlink creation |
|---|---|
| CVE ID# | CVE-2026-44051 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.0.2 - 4.4.2 |
| Summary | A client can cause afpd to replace a regular file with a symlink whose target is read from attacker-controlled file contents |
Description
AFP metadata handling can create symlinks from client-controlled file data without ensuring the result remains within the shared volume. An authenticated client may be able to create persistent links that point outside the intended share boundary.
Patch Availability
Apply CVE-2026-44051.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N (8.1)
Workaround
Disable symlink-following behavior where possible and restrict write access on AFP volumes until patched.
Credits
Vulnerability reported by:
@00redbeer
Independently discovered and reported by:
Tristan (@TristanInSec)
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
