Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
1DescriptionCVE.org
In Netatalk 2.0.0 through 4.4.2, predictable afpd session token. Fixed in 4.4.3.
AnalysisAI
Predictable afpd session token generation in Netatalk 2.0.0 through 4.4.2 allows an authenticated remote attacker to forecast or brute-force valid session identifiers within the Apple Filing Protocol daemon. Per CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H, the scored impact is limited to high availability disruption, though the reporter tag 'Information Disclosure' suggests potential session-hijacking consequences that may not be fully captured in the CVSS scoring - a discrepancy analysts should verify against the vendor advisory. No public exploit code or CISA KEV listing exists at time of analysis.
Technical ContextAI
Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), enabling file sharing between macOS clients and Linux/Unix servers. The affected component is afpd, the AFP daemon responsible for managing client sessions. CWE-330 (Use of Insufficiently Random Values) identifies the root cause: session tokens generated by afpd during connection establishment rely on an insufficiently random or deterministic source, making them predictable to an observer. The affected CPE cpe:2.3:a:netatalk:netatalk:*:*:*:*:*:*:*:* spans the full Netatalk application across all platforms, covering versions 2.0.0 through 4.4.2. Predictable token flaws in session-oriented daemons typically enable session replay, fixation, or enumeration attacks that can impact confidentiality and integrity far beyond what this CVSS assignment reflects.
RemediationAI
Upgrade Netatalk to version 4.4.3, which is the vendor-confirmed fixed release per the advisory at https://netatalk.io/security/CVE-2026-44054. If an immediate upgrade is not feasible, restrict AFP daemon access to trusted network segments by applying firewall rules to limit TCP port 548 (AFP) to known, trusted client IP ranges - this reduces exposure to the PR:L authenticated attack surface. Additionally, disabling AFP entirely and migrating to SMB (Samba) or NFS for file sharing eliminates the attack surface completely, though this carries operational trade-offs for macOS client compatibility. Monitoring afpd session logs for anomalous token repetition or rapid session churn may help detect exploitation attempts in the interim.
Same weakness CWE-330 – Use of Insufficiently Random Values
View allSame technique Information Disclosure
View allVendor StatusVendor
SUSE
Severity: Medium| Product | Status |
|---|---|
| SUSE Linux Enterprise Server 12 SP5 | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS | Fixed |
| SUSE Linux Enterprise Server 12 SP5-LTSS Extended Security | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP5 | Fixed |
| SUSE Linux Enterprise Desktop 12 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP1 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP2 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP3 | Fixed |
| SUSE Linux Enterprise Desktop 12 SP4 | Fixed |
| SUSE Linux Enterprise Server 12 | Fixed |
| SUSE Linux Enterprise Server 12 SP1 | Fixed |
| SUSE Linux Enterprise Server 12 SP2 | Fixed |
| SUSE Linux Enterprise Server 12 SP3 | Fixed |
| SUSE Linux Enterprise Server 12 SP4 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP1 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP2 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP3 | Fixed |
| SUSE Linux Enterprise Server for SAP Applications 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP1 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP2 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP3 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP4 | Fixed |
| SUSE Linux Enterprise Software Development Kit 12 SP5 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP1 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP2 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP3 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP4 | Fixed |
| SUSE Linux Enterprise Workstation Extension 12 SP5 | Fixed |
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31231
GHSA-q5xh-737m-h26f