What this actually is.
Technical background, root cause, and affected surface.
Netatalk does not adequately validate symlink targets when AFP clients create symbolic links within volumes. An authenticated attacker can create a symlink pointing to arbitrary filesystem paths, then read or overwrite files at those paths via normal AFP file operations.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- High
- CVSS Score
- 8.1
- Status
- Published
- CWE
- CWE-59: Improper Link Resolution Before File Access ('Link Following')
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/file.c / afpd/directory.c: symlink handling during AFP FPCreateFile and FPOpenFork operations lacks target path validation
Root cause: Insufficient validation of symlink targets; Netatalk resolves symlinks without confirming the resolved path remains within the authorized volume
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client with write access to a volume creates a symlink targeting a path outside the volume root, then reads or writes through it
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Arbitrary file read (sensitive files, credentials, keys) or arbitrary file write (config files, cron jobs) outside the AFP volume boundary
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which adds symlink target validation to ensure resolved paths remain within the configured volume root.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.