What this actually is.
Technical background, root cause, and affected surface.
An SQL injection vulnerability exists in the MySQL CNID (Connection Node ID) backend of Netatalk. The CNID subsystem manages persistent file identifiers for AFP volumes. Unsanitized user-controlled input is passed directly into SQL queries, allowing an authenticated attacker to manipulate database operations.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- High
- CVSS Score
- 8.8
- Status
- Published
- CWE
- CWE-89: Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
cnid_dbd.c / cnid_mysql.c: SQL query construction using unsanitized AFP client-supplied data in CNID lookup and registration functions
Root cause: Failure to use parameterized queries or prepared statements when constructing SQL from AFP client-supplied identifiers
When does this fire?
All conditions must be true for the exploit to succeed.
Attacker must be authenticated to the AFP server with access to a volume backed by the MySQL CNID database
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Unauthorized read or modification of CNID database records; potential denial of service via malformed SQL; data integrity compromise
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which fixes all SQL injection points with parameterized queries. If upgrade is not immediately possible, disable the MySQL CNID backend.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.