mitmproxy CVE-2026-40606
MEDIUMSeverity by source
AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from GitHub Advisory.
CVSS VectorGitHub Advisory
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
4Blast Radius
ecosystem impact- 1 pypi packages depend on mitmproxy (1 direct, 0 indirect)
Ecosystem-wide dependent count for version 12.2.2.
DescriptionGitHub Advisory
mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. Only mitmproxy instances using the proxyauth option with LDAP are affected. This option is not enabled by default. The vulnerability has been fixed in mitmproxy 12.2.2 and above.
AnalysisAI
Authentication bypass in mitmproxy 12.2.1 and below allows remote attackers to bypass LDAP-based proxy authentication through unsanitized username injection. The vulnerability affects only instances explicitly configured with the proxyauth option using LDAP authentication, which is disabled by default. Attackers can exploit this over the network without authentication or user interaction to gain unauthorized access to proxied connections.
Technical ContextAI
mitmproxy's builtin LDAP proxy authentication mechanism (enabled via the proxyauth option with LDAP configuration) constructs LDAP queries using client-supplied usernames without proper sanitization. The vulnerability root cause is CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query), allowing attackers to inject LDAP filter syntax into authentication queries. This enables bypassing the authentication check by manipulating the LDAP filter logic, similar to SQL injection attacks but targeting LDAP directory services. The affected component is the LDAP authentication handler in mitmproxy's proxy authentication subsystem.
RemediationAI
Upgrade mitmproxy to version 12.2.2 or above, which contains the fix for LDAP username sanitization. Organizations unable to upgrade immediately should disable the proxyauth LDAP feature if not critical to operations, or implement a non-LDAP authentication method. Additional compensating controls include restricting network access to the mitmproxy proxy port using firewall rules to limit which clients can reach the authentication endpoint, though this may impact legitimate use cases. Verify the upgrade using the GitHub security advisory GHSA-527g-3w9m-29hv.
The remoting module in Jenkins before 2.32 and LTS before 2.19.3 allows remote attackers to execute arbitrary code via a
In Joomla!. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required,
An issue was discovered on Accellion FTA devices before FTA_9_12_180. Rated critical severity (CVSS 9.8), this vulnerabi
Mastodon is a free, open-source social network server based on ActivityPub Mastodon allows configuration of LDAP for aut
Dolibarr 11.0.3 contains a persistent cross-site scripting vulnerability in LDAP synchronization settings that allows at
A reflected cross-site scripting (xss) vulnerability exists in the ldapUser functionality of MedDream PACS Premium 7.3.6
Authentication bypass in Apache Druid versions 0.17.0 through 35.x. Affects all versions prior to 36.0.0 when specific p
Arbitrary certificate disclosure in Apache CXF's XKMS server lets remote attackers abuse an LDAP injection flaw (CWE-90)
An issue was discovered in linqi before 1.4.0.1 on Windows. Rated critical severity (CVSS 9.8), this vulnerability is re
A vulnerability, which was classified as problematic, has been found in Jahastech NxFilter 4.3.2.5.jsp?actionFlag=test&i
An unauthenticated Apache Traffic Control Traffic Ops user can send a request with a specially-crafted username to the P
Kanboard versions 1.2.48 and earlier contain an LDAP injection vulnerability where unsanitized user input in the LDAP au
Same weakness CWE-90 – LDAP Injection
View allSame technique Authentication Bypass
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| openSUSE Tumbleweed | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today