Skip to main content

Netatalk CVE-2026-44051

| EUVDEUVD-2026-31228 HIGH
Improper Link Resolution Before File Access (CWE-59)
2026-05-21 securin GHSA-x9mv-rgr7-fxhp
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
SUSE
HIGH
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 08:01 vuln.today

DescriptionCVE.org

In Netatalk 3.0.2 through 4.4.2, arbitrary file read via attacker-controlled symlink creation. Fixed in 4.4.3.

AnalysisAI

Arbitrary file read in Netatalk 3.0.2 through 4.4.2 allows authenticated remote attackers to create attacker-controlled symbolic links that the AFP server follows, exposing sensitive files outside the intended share. The flaw is fixed in version 4.4.3 and no public exploit identified at time of analysis. Securin reported the issue and the vendor has published an advisory at netatalk.io.

Technical ContextAI

Netatalk is an open-source implementation of the Apple Filing Protocol (AFP) that lets Unix-like systems serve files to macOS clients over the network. The root cause is CWE-59 (Improper Link Resolution Before File Access, a.k.a. Link Following): the daemon resolves symbolic links created by an authenticated user without enforcing that the resolved path remains inside the share boundary, so a crafted symlink pointing to /etc/shadow, configuration files, or other private paths is dereferenced server-side and the contents are returned to the client. The affected CPE is cpe:2.3:a:netatalk:netatalk for all 3.0.2-4.4.2 builds.

RemediationAI

Upgrade to Vendor-released patch: Netatalk 4.4.3, which contains the fix; consult the upstream advisory at https://netatalk.io/security/CVE-2026-44051 for build notes. Until packaged updates are available for your distribution, reduce exposure by restricting AFP access (TCP/548) to trusted networks via host or network firewall, disabling AFP shares that accept untrusted authenticated users, and removing or tightening shares where 'follow symlinks' style options are enabled in afp.conf - note that disabling symlink following may break legitimate macOS Time Machine or shared-mount workflows that rely on it. Where feasible, migrate clients to SMB on Samba as a longer-term alternative, accepting the operational cost of changing the file-sharing stack.

Vendor StatusVendor

SUSE

Severity: High
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP5 Fixed
SUSE Linux Enterprise Desktop 12 Fixed

Share

CVE-2026-44051 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy