Netatalk Security Advisory
| Subject | LDAP simple-bind password exposure in log output |
|---|---|
| CVE ID# | CVE-2026-44052 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.1.0 - 4.4.2 |
| Summary | LDAP simple-bind passwords are written to logs when a bind failure occurs. |
Description
LDAP bind failures may log sensitive authentication material. During ordinary LDAP outage or restart conditions, service account credentials can be exposed to users or systems with access to Netatalk logs.
Patch Availability
Apply CVE-2026-44052.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N (7.5)
Workaround
Use a more secure user authentication method than LDAP simple-bind where possible, and ensure that log access is tightly controlled.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
