Description
mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. Only mitmproxy instances using the proxyauth option with LDAP are affected. This option is not enabled by default. The vulnerability has been fixed in mitmproxy 12.2.2 and above.
Published: 2026-04-21
Score: 4.8 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Authentication Bypass
Action: Patch
AI Analysis

Impact

The vulnerability exists in mitmproxy versions 12.2.1 and earlier; the built‑in LDAP proxy authentication does not correctly sanitize the username field, allowing an LDAP injection that enables a malicious client to bypass authentication when the proxyauth option is enabled. This flaw permits an attacker to authenticate as any user and gain access to intercept traffic and potentially privileged actions within the tool.

Affected Systems

mitmproxy, an interactive TLS‑capable intercepting HTTP proxy used by penetration testers and developers. Any instance that has the proxyauth option with LDAP enabled and is running version 12.2.1 or earlier is affected. Versions 12.2.2 and later contain the fix and are not vulnerable.

Risk and Exploitability

The CVSS base score is 4.8, reflecting moderate risk. EPSS is not available and the vulnerability is not listed in CISA KEV. The attack vector is remote; an attacker who can send crafted LDAP queries to the proxy can exploit the flaw and authenticate as any user, gaining unauthorized access to intercepted data and the proxy’s internal functionality.

Generated by OpenCVE AI on April 22, 2026 at 05:38 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade mitmproxy to version 12.2.2 or later to apply the LDAP input sanitization fix.
  • If LDAP-based proxyauth is not required, disable the proxyauth option in the configuration to eliminate the attack surface.
  • Monitor proxy logs and network traffic for suspicious LDAP queries or unauthorized authentication attempts to detect potential exploitation attempts.

Generated by OpenCVE AI on April 22, 2026 at 05:38 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-527g-3w9m-29hv mitmproxy has an LDAP Injection
History

Wed, 22 Apr 2026 14:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 22 Apr 2026 03:45:00 +0000

Type Values Removed Values Added
First Time appeared Mitmproxy
Mitmproxy mitmproxy
Vendors & Products Mitmproxy
Mitmproxy mitmproxy

Wed, 22 Apr 2026 00:00:00 +0000

Type Values Removed Values Added
Description mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. Only mitmproxy instances using the proxyauth option with LDAP are affected. This option is not enabled by default. The vulnerability has been fixed in mitmproxy 12.2.2 and above.
Title ProxyAuth Addon LDAP Injection in mitmproxy
Weaknesses CWE-90
References
Metrics cvssV3_1

{'score': 4.8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N'}

Subscriptions

Mitmproxy Mitmproxy
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-04-22T13:26:03.183Z

Reserved: 2026-04-14T14:07:59.642Z

Link: CVE-2026-40606

cve-icon Vulnrichment

Updated: 2026-04-22T13:25:56.411Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-04-21T18:16:52.127

Modified: 2026-04-22T21:24:26.997

Link: CVE-2026-40606

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-22T05:45:09Z

Weaknesses