Skip to main content

Samba CVE-2026-1933

| EUVDEUVD-2026-32275 MEDIUM
Improper Access Control (CWE-284)
2026-05-27 secalert@redhat.com GHSA-c866-5hw6-cqf9
6.5
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
SUSE
7.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:L/A:H
Red Hat
7.1 HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
None
Integrity
High
Availability
None

Lifecycle Timeline

3
Severity Changed
Jun 15, 2026 - 22:22 NVD
HIGH MEDIUM
CVSS changed
Jun 15, 2026 - 22:22 NVD
7.1 (HIGH) 6.5 (MEDIUM)
Analysis Generated
May 27, 2026 - 20:59 vuln.today

DescriptionNVD

A flaw was found in Samba’s handling of NTFS-style reparse points on shares configured with read only = yes. Due to missing SMB-layer access checks, authenticated users with underlying filesystem write permissions may create or delete reparse point metadata through SMB operations even on read-only exports. This could allow modification of SMB-visible file behavior, including converting files into symbolic links or other reparse point types.

AnalysisAI

Access control bypass in Samba allows authenticated SMB users who hold write permissions on the underlying filesystem to create or delete NTFS-style reparse point metadata on shares configured with 'read only = yes', defeating the read-only intent of the export. Because the necessary access checks are missing at the SMB layer, an attacker can change how files behave when accessed over SMB - for example, converting a regular file into a symbolic link or another reparse-point type - yielding an integrity and availability impact (CVSS 7.1). There is no public exploit identified at time of analysis, and CISA's SSVC framework rates exploitation as 'none', non-automatable, with partial technical impact.

Technical ContextAI

Samba is the open-source implementation of the SMB/CIFS file-sharing protocol used to export filesystem paths to Windows and other SMB clients on Unix-like systems. Reparse points are an NTFS concept (surfaced by Samba for SMB clients) that attach special metadata to a file or directory so it can behave as a symbolic link, junction, or other redirection type rather than as ordinary data. The 'read only = yes' share parameter is meant to prevent clients from modifying content on that export. The root cause maps to CWE-284 (Improper Access Control): Samba enforces the read-only policy for normal write operations but fails to apply equivalent SMB-layer checks to the create/delete operations on reparse point metadata, so the operation is gated only by the underlying POSIX filesystem permissions rather than by the share's read-only configuration. Although the input tags this as 'Authentication Bypass', the technical behavior and CWE indicate an authorization/access-control bypass: the user is already authenticated, but the read-only authorization boundary is not enforced.

RemediationAI

No vendor-released patch version is identified in the available data, so the fixed Samba release cannot be cited with confidence - monitor the upstream Samba Bugzilla (https://bugzilla.samba.org/show_bug.cgi?id=15992) and the Red Hat advisory (https://access.redhat.com/security/cve/CVE-2026-1933) and apply the fixed package as soon as your distribution publishes it. Because exploitation depends on the attacker holding write permissions on the backing filesystem, the most effective compensating control is to align the underlying POSIX/filesystem permissions with the read-only intent of the share: remove or restrict write access (owner, group, and other) on the exported directory tree for accounts that connect to read-only shares, so the SMB read-only setting is backed by actual filesystem enforcement (trade-off: this can break legitimate local/backend processes that need to write to the same path). Where reparse point / symlink behavior is not required, consider disabling symlink and reparse-point support on the affected shares (for example via the relevant 'follow symlinks'/wide-links and VFS settings), accepting that this removes any legitimate symlink functionality for those exports. Limit which users can authenticate to read-only shares and audit/monitor SMB operations on those exports for unexpected reparse-point creation or deletion.

CVE-2015-8103 CRITICAL POC
9.8 Nov 25

The Jenkins CLI subsystem in Jenkins before 1.638 and LTS before 1.625.2 allows remote attackers to execute arbitrary co

CVE-2021-4104 HIGH
7.5 Dec 14

JMSAppender in Log4j 1.2 is vulnerable to deserialization of untrusted data when the attacker has write access to the Lo

CVE-2024-6387 HIGH POC
8.1 Jul 01

Remote code execution in OpenSSH's sshd server (regression of CVE-2006-5051) allows unauthenticated remote attackers to

CVE-2023-48795 MEDIUM POC
5.9 Dec 18

The SSH transport protocol with certain OpenSSH extensions, found in OpenSSH before 9.6 and other products, allows remot

CVE-2025-26465 MEDIUM
6.8 Feb 18

A vulnerability was found in OpenSSH when the VerifyHostKeyDNS option is enabled. Rated medium severity (CVSS 6.8), this

CVE-2019-7609 CRITICAL POC
10.0 Mar 25

Kibana versions before 5.6.15 and 6.6.1 contain an arbitrary code execution flaw in the Timelion visualizer. Rated criti

CVE-2019-1003029 CRITICAL POC
9.9 Mar 08

A sandbox bypass vulnerability exists in Jenkins Script Security Plugin 1.53 and earlier in src/main/java/org/jenkinsci/

CVE-2018-1000861 CRITICAL POC
9.8 Dec 10

A code execution vulnerability exists in the Stapler web framework used by Jenkins 2.153 and earlier, LTS 2.138.3 and ea

CVE-2019-1003002 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Declarative Plugin 1.3.3 and earlier in. Rated high severity (CVSS 8.

CVE-2019-1003001 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Pipeline: Groovy Plugin 2.61 and earlier in src/main/java/org/jenkinsci/plugins

CVE-2019-1003000 HIGH POC
8.8 Jan 22

A sandbox bypass vulnerability exists in Script Security Plugin 1.49 and earlier in src/main/java/org/jenkinsci/plugins/

CVE-2024-12085 HIGH POC
7.5 Jan 14

A flaw was found in rsync which could be triggered when rsync compares file checksums. Rated high severity (CVSS 7.5), t

Vendor StatusVendor

SUSE

Severity: High
Product Status
Image SLES15-SP7-HPC-Azure Affected
SUSE Linux Enterprise Desktop 15 SP7 SUSE Linux Enterprise High Performance Computing 15 SP7 SUSE Linux Enterprise Module for Basesystem 15 SP7 SUSE Linux Enterprise Server 15 SP7 SUSE Linux Enterprise Server for SAP Applications 15 SP7 Fixed
SUSE Linux Enterprise High Availability Extension 15 SP7 Fixed
openSUSE Tumbleweed Fixed
SUSE Linux Enterprise Desktop 15 SP7 Fixed

Share

CVE-2026-1933 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy