Netatalk Security Advisory
| Subject | seteuid failure ignored in auth modules |
|---|---|
| CVE ID# | CVE-2026-44073 |
| Severity | Medium |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 1.5.0 - 4.4.2 |
| Summary | Authentication modules log seteuid() failures but continue execution |
Description
Authentication modules may continue after failed privilege changes instead of aborting. Attackers generally cannot force these failures in a useful way under normal deployments, but the behavior creates a defense-in-depth risk if privilege dropping unexpectedly fails.
Patch Availability
Apply CVE-2026-44073.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.5.0 or later, which includes the patch.
The Netatalk team does not encourage proactively applying the patch to existing deployments because of the low practical exploitability.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:L (4.0)
Workaround
Disable the Randnum UAM where possible until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
