Skip to main content

mitmproxy CVE-2026-40606

MEDIUM
LDAP Injection (CWE-90)
2026-04-21 security-advisories@github.com
4.8
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
4.8 MEDIUM
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
SUSE
MEDIUM
qualitative

Primary rating from GitHub Advisory.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

4
Patch released
Apr 21, 2026 - 20:30 nvd
Patch available
Analysis Generated
Apr 21, 2026 - 18:49 vuln.today
Analysis Generated
Apr 21, 2026 - 18:22 vuln.today
CVE Published
Apr 21, 2026 - 18:16 nvd
MEDIUM 4.8

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 1 pypi packages depend on mitmproxy (1 direct, 0 indirect)

Ecosystem-wide dependent count for version 12.2.2.

DescriptionGitHub Advisory

mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. Only mitmproxy instances using the proxyauth option with LDAP are affected. This option is not enabled by default. The vulnerability has been fixed in mitmproxy 12.2.2 and above.

AnalysisAI

Authentication bypass in mitmproxy 12.2.1 and below allows remote attackers to bypass LDAP-based proxy authentication through unsanitized username injection. The vulnerability affects only instances explicitly configured with the proxyauth option using LDAP authentication, which is disabled by default. Attackers can exploit this over the network without authentication or user interaction to gain unauthorized access to proxied connections.

Technical ContextAI

mitmproxy's builtin LDAP proxy authentication mechanism (enabled via the proxyauth option with LDAP configuration) constructs LDAP queries using client-supplied usernames without proper sanitization. The vulnerability root cause is CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query), allowing attackers to inject LDAP filter syntax into authentication queries. This enables bypassing the authentication check by manipulating the LDAP filter logic, similar to SQL injection attacks but targeting LDAP directory services. The affected component is the LDAP authentication handler in mitmproxy's proxy authentication subsystem.

RemediationAI

Upgrade mitmproxy to version 12.2.2 or above, which contains the fix for LDAP username sanitization. Organizations unable to upgrade immediately should disable the proxyauth LDAP feature if not critical to operations, or implement a non-LDAP authentication method. Additional compensating controls include restricting network access to the mitmproxy proxy port using firewall rules to limit which clients can reach the authentication endpoint, though this may impact legitimate use cases. Verify the upgrade using the GitHub security advisory GHSA-527g-3w9m-29hv.

More in LDAP

View all
CVE-2016-9299 CRITICAL POC
9.8 Jan 12

The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a

CVE-2017-14596 CRITICAL POC
9.8 Sep 20

In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,

CVE-2017-8790 CRITICAL POC
9.8 May 05

An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi

CVE-2023-28853 MEDIUM POC
6.5 Apr 04

Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut

CVE-2020-36966 MEDIUM POC
6.4 Jan 30

Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at

CVE-2025-36556 MEDIUM POC
6.1 Jan 20

A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6

CVE-2026-23906 CRITICAL
9.8 Feb 10

Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p

CVE-2026-44930 CRITICAL
9.8 May 22

Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)

CVE-2024-33868 CRITICAL
9.8 May 14

An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re

CVE-2023-6905 CRITICAL
9.8 Dec 18

A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i

CVE-2021-43350 CRITICAL
9.8 Nov 11

An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P

CVE-2026-21880 MEDIUM POC
5.3 Jan 08

Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
openSUSE Tumbleweed Fixed

Share

CVE-2026-40606 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy