Netatalk Security Advisory
| Subject | EA path traversal via incomplete sanitization |
|---|---|
| CVE ID# | CVE-2026-44068 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.1.0 - 4.4.2 |
| Summary | Extended attribute names are not consistently sanitized across EA file operations |
Description
When extended attributes are stored as AppleDouble files, some EA operations do not consistently confine client-controlled names to the intended metadata namespace. In affected deployments, an authenticated AFP user may be able to create, modify, remove, or repermission files within the limits of that user’s filesystem permissions.
Patch Availability
Apply CVE-2026-44068.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L (7.6)
Workaround
Restrict AFP write access and metadata-modifying operations until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
