What this actually is.
Technical background, root cause, and affected surface.
Netatalk does not properly sanitize user-supplied input before incorporating it into LDAP filter strings. An authenticated AFP user can inject LDAP filter metacharacters to modify query logic, enumerate directory objects, or potentially modify entries.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Medium
- CVSS Score
- 4.2
- Status
- Published
- CWE
- CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
- Vector
- CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:N
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/ldap.c: LDAP filter construction concatenates AFP client-supplied username or group input without escaping LDAP special characters
Root cause: User input incorporated into LDAP filter strings without RFC 4515 special character escaping
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client supplies input containing LDAP filter metacharacters (parentheses, asterisks, backslashes) in username or group fields passed to LDAP queries
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Unauthorized LDAP directory enumeration; potential modification of LDAP entries
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which implements proper LDAP filter input escaping per RFC 4515.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.