Skip to main content

SSSD CVE-2026-14474

| EUVDEUVD-2026-42022 HIGH
Initialization of a Resource with an Insecure Default (CWE-1188)
2026-07-07 redhat GHSA-2vq9-j58h-2qj3
8.8
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.8 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable LDAP write (AV:N/AC:L), attacker needs delegated directory write privileges so PR:L not PR:N, and injected sudoRole yields full root impact (C/I/A:H); S:U kept per vendor though cross-host reach arguably warrants S:C.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N
SUSE
HIGH
qualitative
Red Hat
8.8 HIGH
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 07, 2026 - 10:31 vuln.today
CVE Published
Jul 07, 2026 - 09:12 nvd
HIGH 8.8

DescriptionCVE.org

A flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts.

AnalysisAI

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user with write access to any subtree to inject a malicious sudoRole object and gain root-level sudo on every SSSD-enrolled host. The flaw exists because, when ldap_sudo_search_base is left unset, SSSD searches the entire directory tree for sudoRole objects, trusting rules planted anywhere in the DIT. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Authenticate to LDAP directory
Delivery
Locate writable subtree
Exploit
Inject malicious sudoRole object
Execution
SSSD searches full tree, loads rule
Persist
Run sudo as root on enrolled hosts
Impact
Domain-wide root compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires two concrete conditions from the description: (1) the SSSD LDAP sudo provider is in use with the ldap_sudo_search_base option NOT explicitly configured, causing SSSD to search the entire LDAP directory tree for sudoRole objects; and (2) the attacker is an authenticated directory principal holding write access to at least one subtree of the LDAP directory, sufficient to create a sudoRole object. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The CVSS 3.1 vector (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H = 8.8 High) accurately captures a network-reachable, low-complexity attack that requires some existing privilege (PR:L) - specifically write access to a directory subtree - and yields full confidentiality, integrity, and availability impact via root sudo. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated directory user who has been delegated write access to a seemingly harmless subtree (for example, their own group or department OU) creates a sudoRole object granting themselves ALL=(ALL) NOPASSWD on all hosts. Because the victim organization never set ldap_sudo_search_base, every SSSD-enrolled server discovers and applies the injected rule on its next sudo lookup, and the attacker runs commands as root across the fleet. …
Remediation No vendor-released patch version was identified in the provided data - monitor the Red Hat advisory (https://access.redhat.com/security/cve/CVE-2026-14474) and Bugzilla 2496556 (https://bugzilla.redhat.com/show_bug.cgi?id=2496556) for the fixed SSSD package build for your RHEL/OpenShift release and apply it once published. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all RHEL 6-10 and OpenShift Container Platform 4 systems using SSSD with LDAP sudo integration; audit LDAP directory permissions to identify which user accounts have write access to sudoRole objects. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

CVE-2026-35091 HIGH
8.2 Apr 01

Out-of-bounds read in Corosync allows unauthenticated remote attackers to crash cluster nodes and potentially leak memor

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.3 Affected

Share

CVE-2026-14474 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy