Skip to main content

Netatalk EUVDEUVD-2026-31219

| CVE-2026-44076 MEDIUM
OS Command Injection (CWE-78)
2026-05-21 securin GHSA-ffrg-fjv6-4h2r
6.7
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
6.7 MEDIUM
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
SUSE
MEDIUM
qualitative

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Local
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

1
Analysis Generated
May 21, 2026 - 08:10 vuln.today

DescriptionCVE.org

In Netatalk 3.1.0 through 4.4.2, shell injection via volume path. Fixed in 4.4.3.

AnalysisAI

Shell injection in Netatalk 3.1.0 through 4.4.2 allows a high-privileged local attacker to execute arbitrary OS commands by embedding shell metacharacters in a configured volume path value. The flaw (CWE-78) arises because volume path strings are passed to a shell interpreter without sanitization, meaning any actor with write access to Netatalk's volume configuration can achieve full command execution under the Netatalk process context. No public exploit code has been identified at time of analysis, and the vendor has released a fix in version 4.4.3.

Technical ContextAI

Netatalk is an open-source Apple Filing Protocol (AFP) server used on Linux and Unix systems to serve file shares to macOS clients. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command - OS Command Injection), meaning volume path values supplied in the server configuration are incorporated into a shell command invocation without stripping or escaping metacharacters such as semicolons, backticks, or pipes. The affected CPE is cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:*, spanning all Netatalk releases from 3.1.0 through 4.4.2. The injection point is specifically the volume path field, meaning the flaw is triggered at configuration-parse or command-execution time when Netatalk internally processes that value.

RemediationAI

Upgrade to Netatalk 4.4.3, the vendor-released patch confirmed by both the CVE description and the official advisory at https://netatalk.io/security/CVE-2026-44076. If immediate upgrade is not feasible, restrict filesystem permissions on Netatalk's volume configuration files (typically afp.conf or AppleVolumes.default) to the minimum set of administrative accounts, which reduces the pool of actors capable of supplying a malicious path - note this is a compensating control only and does not remediate the underlying injection flaw. Additionally, audit all existing volume path entries for unexpected shell metacharacters as a detective measure. No trade-off-free workaround exists that eliminates the vulnerability without patching.

Vendor StatusVendor

SUSE

Severity: Medium
Product Status
SUSE Linux Enterprise Server 12 SP5 Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Fixed
SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security Fixed
SUSE Linux Enterprise Server for SAP Applications 12 SP5 Fixed
SUSE Linux Enterprise Desktop 12 Fixed

Share

EUVD-2026-31219 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy