What this actually is.
Technical background, root cause, and affected surface.
Extended Attributes (EA) path construction in Netatalk applies incomplete sanitization, failing to fully resolve and block path traversal sequences (../). An authenticated attacker can craft EA operation requests that resolve to paths outside the authorized AFP volume.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- High
- CVSS Score
- 7.6
- Status
- Published
- CWE
- CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
- Vector
- CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/ea.c: EA path construction applies partial sanitization but does not perform canonical path resolution before checking against volume root
Root cause: EA path validation does not canonicalize the full path (resolving all ../ sequences) before comparing against the volume root
When does this fire?
All conditions must be true for the exploit to succeed.
Authenticated AFP client sends EA get/set operations with a crafted filename or path component containing path traversal sequences
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Unauthorized read or write of files outside the AFP volume boundary
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which uses realpath() canonicalization before volume root validation in EA path handling.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.