What this actually is.
Technical background, root cause, and affected surface.
Netatalk passes configured volume paths to shell commands without sanitizing shell metacharacters. A local administrator who can modify afpd.conf can inject arbitrary shell commands into volume path fields that are subsequently executed by the afpd daemon with root privileges.
- Vendor
- Netatalk
- Product
- Netatalk
- Severity
- Medium
- CVSS Score
- 6.7
- Status
- Published
- CWE
- CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')
- Vector
- CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
From one request
to root shell.
Reproduced in a sandboxed environment. Requires only LAN or WiFi adjacency.
The bug, and the fix.
afpd/volume.c: volume path passed directly to system() or popen() without shell metacharacter sanitization
Root cause: Volume path values from configuration are not sanitized before being passed to shell execution functions
When does this fire?
All conditions must be true for the exploit to succeed.
Local administrator with write access to afpd.conf inserts shell metacharacters into a volume path directive; afpd processes the volume
What an attacker does to you.
Post-exploitation outcomes mapped to CVSS impact metrics.
Arbitrary OS command execution as root via the configured volume path
Fix it. In this order.
A runbook, not a checklist. Sequence matters — assume compromise before you act.
Upgrade to Netatalk 4.4.3 which sanitizes volume paths before use in shell commands. Restrict write access to afpd.conf.
disclose@securin.ioVendors moved in days.
Attackers in hours.
Reconstructed from vendor advisories, CISA bulletins, and Securin research records.
2026-05-13: Netatalk 4.4.3 patch released | 2026-05-21: CVE published to MITRE
Timeline recorded · Disclosure coordinated by Securin
Cite, verify, go deeper.
Primary sources — NVD, CISA KEV, and machine-readable IoC feed.