What this actually is.
Technical background, root cause, and affected surface.
Netatalk's admin auth user feature allows a designated administrator account to authenticate to the AFP server as any other user without knowing their password. While intended for administrative use, this represents an authentication bypass that any AFP admin can exploit.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- High
- CVSS Score
- 7.2
- Status
- Published
- CWE
- CWE-287: Improper Authentication
- Vector
- CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/auth.c: admin_user configuration check bypasses normal credential verification when admin_auth_user matches the connecting account
Root cause: By design the admin auth user bypasses password authentication; the vulnerability is that this bypass is insufficiently restricted and audited
When does this fire?
All conditions must be true for the exploit to succeed.
An AFP account configured as admin auth user authenticates to the server specifying a different target username
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Full authentication bypass; admin can access any user's AFP volumes, files, and data without knowing their credentials
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which adds additional controls and audit logging to the admin auth user mechanism. Remove admin_auth_user configuration entries if not required.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.