What this actually is.
Technical background, root cause, and affected surface.
Netatalk logs the LDAP simple-bind password in plaintext when debug logging is enabled or during error conditions. Any process or user with access to Netatalk log files can extract the LDAP bind credentials.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- High
- CVSS Score
- 7.5
- Status
- Published
- CWE
- CWE-532: Insertion of Sensitive Information into Log File
- Vector
- CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/ldap.c: LDAP bind function logs the password parameter via LOG() macro without sanitization
Root cause: Debug/error logging statements include the password argument of the LDAP bind call without masking
When does this fire?
All conditions must be true for the exploit to succeed.
Netatalk configured with LDAP authentication; log files readable by non-privileged users or forwarded to centralized logging
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Exposure of LDAP simple-bind credentials in plaintext log files, enabling unauthorized directory access
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which removes password values from all log statements. Immediately rotate LDAP bind credentials and audit log access.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.