Netatalk Security Advisory
| Subject | DES-ECB auth with timing side channel |
|---|---|
| CVE ID# | CVE-2026-44061 |
| Severity | Medium |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 1.5.0 - 4.4.2 |
| Summary | The Randnum UAM uses DES in ECB mode and compares authentication data with a non-constant-time comparison |
Description
The legacy Randnum authentication mechanism uses obsolete cryptography and non-constant-time comparisons. This UAM is not enabled by default; if enabled, the main risk is password-equivalent exposure or offline attack rather than code execution or privilege escalation.
Patch Availability
Apply CVE-2026-44061.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N (5.9)
Workaround
Disable the Randnum UAM and prefer stronger authentication methods.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
