Netatalk Security Advisory
| Subject | system() after failed chdir() |
|---|---|
| CVE ID# | CVE-2026-44072 |
| Severity | Low |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.2.1 - 4.4.2 |
| Summary | CNID cleanup continues to invoke a shell command after failing to change into the intended directory |
Description
CNID database cleanup may continue after failing to enter the intended directory. If an attacker can influence the service environment so that directory changes fail, cleanup may affect matching files in the wrong working directory. The command being run is fixed, so this is not command injection.
Patch Availability
Apply CVE-2026-44072.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:L/AC:H/PR:H/UI:N/S:U/C:N/I:L/A:L (2.5)
Workaround
Ensure CNID database directories have correct ownership and permissions and restrict access until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
