Skip to main content

SSSD CVE-2026-14476

| EUVDEUVD-2026-42023 HIGH
Relative Path Traversal (CWE-23)
2026-07-07 redhat GHSA-v6qh-pm8g-3c5w
8.0
CVSS 3.1 · Vendor: redhat
Share

Severity by source

Vendor (redhat) PRIMARY
8.0 HIGH
AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
vuln.today AI
8.0 HIGH

Attacker needs AD GPO write access (PR:H) and target-path knowledge (AC:H) over LDAP (AV:N); root file write from a GPO-management context crosses a trust boundary (S:C) with full host CIA impact.

3.1 AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
4.0 AV:N/AC:H/AT:N/PR:H/UI:N/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H
SUSE
HIGH
qualitative
Red Hat
8.0 MEDIUM
qualitative

Primary rating from Vendor (redhat).

CVSS VectorVendor: redhat

CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
High
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

2
Analysis Generated
Jul 07, 2026 - 10:32 vuln.today
CVE Published
Jul 07, 2026 - 09:12 nvd
HIGH 8.0

DescriptionCVE.org

A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.

AnalysisAI

Privilege escalation to root and Kerberos-based authentication bypass in SSSD's Active Directory GPO provider affects Red Hat Enterprise Linux 6 through 10 and OpenShift Container Platform 4. Because ad_gpo_extract_smb_components() fails to sanitize '..' sequences in the gPCFileSysPath LDAP attribute (CWE-23), an actor holding AD GPO management rights can force an SSSD-enrolled host to write attacker-controlled files outside the GPO cache as root, injecting Kerberos configuration to bypass authentication. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain AD GPO management access
Delivery
Craft GPO with '..' in gPCFileSysPath
Exploit
SSSD applies policy on target host
Execution
Path traversal writes file as root outside cache
Persist
Inject malicious Kerberos configuration
Impact
Bypass authentication on host

Vulnerability AssessmentAI

Exploitation Exploitation requires that the target host is joined to Active Directory and uses SSSD's AD GPO provider (GPO-based access control enabled), and that the attacker holds AD GPO management/write access allowing modification of a GPO's gPCFileSysPath LDAP attribute. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The supplied CVSS 3.1 vector (AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H, base 8.0) reflects a high-impact but access-gated flaw: network vector via LDAP, but high attack complexity and high privileges required, offset by a changed scope and full CIA impact because a GPO-management actor pivots to root on client hosts. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who has obtained AD GPO management rights - an over-privileged helpdesk admin, or an adversary who has already compromised a delegated AD account - crafts a GPO whose gPCFileSysPath attribute contains '..' traversal sequences pointing outside the SSSD GPO cache. When an AD-joined RHEL host running SSSD applies the policy, SSSD writes attacker-controlled content as root to a sensitive location such as Kerberos configuration, enabling an authentication bypass on that host. …
Remediation No vendor-released patched package version is identified in the provided data; monitor and apply the Red Hat errata referenced at https://access.redhat.com/security/cve/CVE-2026-14476 and Bugzilla https://bugzilla.redhat.com/show_bug.cgi?id=2496581 as soon as fixed sssd packages are published, then update all AD-joined RHEL and OpenShift 4 hosts. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Inventory all SSSD-enrolled systems running RHEL 6-10 and OpenShift Container Platform 4 with Active Directory GPO provider enabled; verify current SSSD version via 'rpm -qa sssd' or equivalent. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

CVE-2026-4631 CRITICAL POC
9.8 Apr 07

Remote code execution in Cockpit's web interface allows unauthenticated attackers to execute arbitrary commands on the h

CVE-2026-4480 CRITICAL POC
9.0 May 26

Remote code execution in Samba's printing subsystem allows remote attackers to inject arbitrary shell commands via craft

CVE-2026-14544 CRITICAL
9.8 Jul 03

Remote code execution and privilege escalation in HPLIP (HP Linux Imaging and Printing) affects the hpcups print filter

CVE-2026-28369 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow (the embedded web server underpinning JBoss EAP, Red Hat Data Grid, and Apache Camel

CVE-2026-28368 CRITICAL
9.1 Mar 27

HTTP request smuggling in Red Hat Undertow allows remote unauthenticated attackers to bypass front-end security controls

CVE-2026-33845 CRITICAL
9.1 Apr 30

Out-of-bounds read in the GnuTLS DTLS handshake reassembly logic lets remote unauthenticated attackers trigger an intege

CVE-2026-28367 CRITICAL
9.1 Mar 27

HTTP request smuggling in Undertow allows remote unauthenticated attackers to send `\r\r\r` as a header block terminator

CVE-2026-11610 HIGH
8.8 Jul 07

Denial of service in Red Hat / 389 Directory Server (389-ds-base, versions since ~1.3.2/2013) allows an authenticated LD

CVE-2026-14474 HIGH
8.8 Jul 07

Local-to-domain-wide root privilege escalation in SSSD's LDAP sudo provider allows an authenticated LDAP directory user

CVE-2026-52720 HIGH
8.8 Jun 15

Heap buffer overflow in GStreamer's librfb (RFB/VNC client) allows a malicious VNC server to corrupt heap memory on a co

CVE-2026-5260 HIGH
8.2 May 26

Information disclosure and denial of service in GnuTLS (libgnutls) let a remote, unauthenticated attacker trigger a heap

CVE-2026-0966 HIGH
8.2 Mar 26

Remote denial-of-service in libssh 0.11.x and earlier allows unauthenticated attackers to crash SSH server daemon proces

Vendor StatusVendor

SUSE

Severity: Important
Product Status
SUSE Linux Enterprise High Performance Computing 15 SP4-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP4-LTSS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-ESPOS Affected
SUSE Linux Enterprise High Performance Computing 15 SP5-LTSS Affected
SUSE Linux Enterprise Micro 5.3 Affected

Share

CVE-2026-14476 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy