Netatalk Security Advisory
| Subject | LDAP filter injection |
|---|---|
| CVE ID# | CVE-2026-44063 |
| Severity | Medium |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.1.0 - 4.4.2 |
| Summary | LDAP search filters interpolate an unescaped name value |
Description
LDAP lookup filters may include client-influenced names without sufficient escaping. In LDAP-backed ACL or identity-mapping deployments, this can cause authorization or lookup confusion. Remote code execution is not indicated.
Patch Availability
Apply CVE-2026-44063.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N (4.2)
Workaround
Restrict LDAP-backed operations to trusted inputs and monitor LDAP queries until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
