Netatalk Security Advisory
| Subject | Authentication bypass via admin auth user |
|---|---|
| CVE ID# | CVE-2026-44058 |
| Severity | Medium |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.2.2 - 4.4.2 |
| Summary | The admin auth user fallback can authenticate a client as any requested user when the admin password is known |
Description
The documented admin authentication fallback allows the configured administrative password to authenticate as another requested user. This is security-sensitive when enabled unintentionally.
Patch Availability
Apply CVE-2026-44058.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (6.4)
Workaround
Do not set admin auth user in afp.conf unless it is strictly required and access is limited to trusted administrators.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
