Netatalk Security Advisory
| Subject | Weak cryptography in DHCAST128 UAM |
|---|---|
| CVE ID# | CVE-2026-44053 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 1.5.0 - 4.2.2 |
| Summary | The DHCAST128 authentication method uses a 128-bit Diffie-Hellman prime which is considered weak |
Description
The legacy DHCAST128 authentication mechanism relies on obsolete cryptography. Exploitation requires a suitable network position, legacy negotiation conditions, and specialized effort, but deployments should disable this UAM and prefer stronger authentication methods.
Patch Availability
Apply CVE-2026-44053.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N (7.4)
Workaround
Remove uams_dhx.so from the configured UAM list and require encrypted or trusted networks for AFP traffic.
uams = uams_dhx2.so
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
