Description
A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.
Published: 2026-07-07
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A path traversal flaw in the SSSD AD GPO provider allows an attacker who has GPO management access to write files outside the GPO cache directory as root. If SELinux is in enforcing mode, the injected files can contain a malicious Kerberos configuration, resulting in authentication bypass for any user that relies on those settings.

Affected Systems

The vulnerability is present in Red Hat Enterprise Linux 6, 7, 8, 9, 10 and Red Hat OpenShift Container Platform 4, all of which rely on SSSD for Kerberos authentication and GPO processing. The specific product names are Red Hat Enterprise Linux 6, 7, 8, 9, 10 and Red Hat OpenShift Container Platform 4.

Risk and Exploitability

With a CVSS score of 8, the flaw is considered high severity. No EPSS score is available, so the likelihood of exploitation remains uncertain. The flaw is not listed in CISA's KEV catalog, but it requires the attacker to have privileged GPO management rights – a role typically held by administrators or compromised domain accounts. On a default configuration with SELinux enforcing, an attacker who can write files as root can modify Kerberos settings and bypass authentication.

Generated by OpenCVE AI on July 7, 2026 at 16:45 UTC.

Remediation

Vendor Workaround

Set ad_gpo_access_control = disabled in /etc/sssd/sssd.conf to disable GPO fetching entirely. Note that this removes GPO-based login policy enforcement.


OpenCVE Recommended Actions

  • Set ad_gpo_access_control = disabled in /etc/sssd/sssd.conf to disable GPO fetching entirely; this removes the ability to traverse outside the cache directory and mitigates the path traversal risk. Note that disabling GPO fetching also removes GPO‑based login policy enforcement.
  • Restrict the pool of users who have AD GPO management permissions to the minimum set of trusted administrators and remove any unnecessary AD accounts that can modify GPO objects.
  • Verify the integrity of the GPO cache directory and audit for unexpected files, and ensure SELinux booleans related to sssd and kerberos remain in their default enforcing mode so that any unauthorized configuration changes are detected or blocked.

Generated by OpenCVE AI on July 7, 2026 at 16:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 07 Jul 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 07 Jul 2026 12:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

threat_severity

Moderate


Tue, 07 Jul 2026 10:15:00 +0000

Type Values Removed Values Added
Description A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.
Title Sssd: sssd: gpo cache path traversal via unsanitized gpcfilesyspath allows kerberos authentication bypass
First Time appeared Redhat
Redhat enterprise Linux
Redhat openshift
Weaknesses CWE-23
CPEs cpe:/a:redhat:openshift:4
cpe:/o:redhat:enterprise_linux:10
cpe:/o:redhat:enterprise_linux:6
cpe:/o:redhat:enterprise_linux:7
cpe:/o:redhat:enterprise_linux:8
cpe:/o:redhat:enterprise_linux:9
Vendors & Products Redhat
Redhat enterprise Linux
Redhat openshift
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Redhat Enterprise Linux Openshift
cve-icon MITRE

Status: PUBLISHED

Assigner: redhat

Published:

Updated: 2026-07-07T14:34:38.153Z

Reserved: 2026-07-02T15:18:56.861Z

Link: CVE-2026-14476

cve-icon Vulnrichment

Updated: 2026-07-07T14:34:34.129Z

cve-icon NVD

No data.

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-07-07T09:00:00Z

Links: CVE-2026-14476 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-07-07T17:00:05Z

Weaknesses
  • CWE-23

    Relative Path Traversal