Severity by source
AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
1DescriptionCVE.org
In Netatalk 3.1.0 through 4.4.2, shell injection via volume path. Fixed in 4.4.3.
AnalysisAI
Shell injection in Netatalk 3.1.0 through 4.4.2 allows a high-privileged local attacker to execute arbitrary OS commands by embedding shell metacharacters in a configured volume path value. The flaw (CWE-78) arises because volume path strings are passed to a shell interpreter without sanitization, meaning any actor with write access to Netatalk's volume configuration can achieve full command execution under the Netatalk process context. No public exploit code has been identified at time of analysis, and the vendor has released a fix in version 4.4.3.
Technical ContextAI
Netatalk is an open-source Apple Filing Protocol (AFP) server used on Linux and Unix systems to serve file shares to macOS clients. The vulnerability is classified as CWE-78 (Improper Neutralization of Special Elements used in an OS Command - OS Command Injection), meaning volume path values supplied in the server configuration are incorporated into a shell command invocation without stripping or escaping metacharacters such as semicolons, backticks, or pipes. The affected CPE is cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:*, spanning all Netatalk releases from 3.1.0 through 4.4.2. The injection point is specifically the volume path field, meaning the flaw is triggered at configuration-parse or command-execution time when Netatalk internally processes that value.
RemediationAI
Upgrade to Netatalk 4.4.3, the vendor-released patch confirmed by both the CVE description and the official advisory at https://netatalk.io/security/CVE-2026-44076. If immediate upgrade is not feasible, restrict filesystem permissions on Netatalk's volume configuration files (typically afp.conf or AppleVolumes.default) to the minimum set of administrative accounts, which reduces the pool of actors capable of supplying a malicious path - note this is a compensating control only and does not remediate the underlying injection flaw. Additionally, audit all existing volume path entries for unexpected shell metacharacters as a detective measure. No trade-off-free workaround exists that eliminates the vulnerability without patching.
Same weakness CWE-78 – OS Command Injection
View allSame technique Command Injection
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 12 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP1 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 | Fixed |
| SUSE Linux Enterprise Server 12 SP1 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP1 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP1 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP2 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP3 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31219
GHSA-ffrg-fjv6-4h2r