Description
maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated into LDAP search filters and DN strings via strings.ReplaceAll() without any LDAP filter escaping, despite the go-ldap/ldap/v3 library's ldap.EscapeFilter() function being available in the same import. This affects three code paths: the Lookup() filter, the AuthPlain() DN template, and the AuthPlain() filter. An attacker with network access to the SMTP submission or IMAP interface can inject arbitrary LDAP filter expressions through the username field in AUTH PLAIN or LOGIN commands. This enables identity spoofing by manipulating filter results to authenticate as another user, LDAP directory enumeration via wildcard filters, and blind extraction of LDAP attribute values using authentication responses as a boolean oracle or via timing side-channels between the two distinct failure paths. This issue has been fixed in version 0.9.3.
Published: 2026-04-15
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Identity Spoofing
Action: Immediate Patch
AI Analysis

Impact

In maddy mail server versions prior to 0.9.3, a user supplied username in LDAP authentication commands is concatenated directly into LDAP search filters and DN strings without proper escaping. This LDAP filter injection allows an attacker to embed arbitrary filter expressions, potentially tricking the directory service into returning records belonging to other users. The vulnerability can also be leveraged to enumerate directory entries or extract attribute values via side‑channel techniques such as oracle responses or timing differences.

Affected Systems

foxcpp’s maddy mail server; any deployment using maddy before the 0.9.3 release is affected. The issue spans three code paths: the Lookup filter, the AuthPlain DN template, and the AuthPlain filter.

Risk and Exploitability

The flaw carries a CVSS score of 8.2, indicating high severity. Exploitation requires network access to the SMTP submission or IMAP interface, a common setup for email servers. While an EPSS score is not published, the absence of a KEV listing suggests it is not a known widely exploited vulnerability yet, but the high CVSS and the potential for identity spoofing and directory enumeration make it a high‑priority risk.

Generated by OpenCVE AI on April 16, 2026 at 09:04 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update maddy to version 0.9.3 or later to eliminate unsanitized LDAP filter construction.
  • If an upgrade cannot be performed immediately, disable LDAP authentication for untrusted clients or block AUTH PLAIN/LOGIN traffic until the patch is applied.
  • Continuously monitor authentication logs for anomalous LDAP filter patterns and confirm that no unauthorized authentication attempts succeed.

Generated by OpenCVE AI on April 16, 2026 at 09:04 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-5835-4gvc-32pc Maddy Mail Server has an LDAP Filter Injection via Unsanitized Username
History

Wed, 22 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Maddy Project
Maddy Project maddy
CPEs cpe:2.3:a:maddy_project:maddy:*:*:*:*:*:*:*:*
Vendors & Products Maddy Project
Maddy Project maddy

Thu, 16 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 16 Apr 2026 00:45:00 +0000

Type Values Removed Values Added
First Time appeared Foxcpp
Foxcpp maddy
Vendors & Products Foxcpp
Foxcpp maddy

Wed, 15 Apr 2026 23:30:00 +0000

Type Values Removed Values Added
Description maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated into LDAP search filters and DN strings via strings.ReplaceAll() without any LDAP filter escaping, despite the go-ldap/ldap/v3 library's ldap.EscapeFilter() function being available in the same import. This affects three code paths: the Lookup() filter, the AuthPlain() DN template, and the AuthPlain() filter. An attacker with network access to the SMTP submission or IMAP interface can inject arbitrary LDAP filter expressions through the username field in AUTH PLAIN or LOGIN commands. This enables identity spoofing by manipulating filter results to authenticate as another user, LDAP directory enumeration via wildcard filters, and blind extraction of LDAP attribute values using authentication responses as a boolean oracle or via timing side-channels between the two distinct failure paths. This issue has been fixed in version 0.9.3.
Title Maddy Mail Server: LDAP Filter Injection via Unsanitized Username
Weaknesses CWE-90
References
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

Subscriptions

Foxcpp Maddy
Maddy Project Maddy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-16T14:23:52.438Z

Reserved: 2026-04-09T20:59:17.620Z

Link: CVE-2026-40193

cve-icon Vulnrichment

Updated: 2026-04-16T14:23:48.474Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-16T00:16:28.163

Modified: 2026-04-22T20:13:42.313

Link: CVE-2026-40193

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-16T09:15:30Z

Weaknesses