Description
An SQL injection vulnerability in the MySQL CNID backend in Netatalk 3.1.0 through 4.4.2 allows a remote authenticated attacker to obtain unauthorized access to data, modify data, or cause a denial of service.
Published: 2026-05-21
Score: 8.8 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An SQL injection vulnerability exists in the MySQL CNID backend of Netatalk versions 3.1.0 through 4.4.2. It permits a remote authenticated attacker to obtain unauthorized access to data, modify data, or cause a denial of service. The weakness is identified as CWE‑89, indicating improper input validation handling of SQL queries.

Affected Systems

The vulnerability affects Netatalk installations using the MySQL CNID backend in the version range 3.1.0 to 4.4.2 inclusive. Users running these versions should be aware that the data stored by the CNID database can be compromised until the vendor releases a fix.

Risk and Exploitability

The CVSS score of 8.8 classifies this as a high severity issue. The EPSS score is currently unavailable, and the vulnerability does not appear in the CISA KEV catalog. Based on the description, the likely attack vector is a remote authenticated attacker accessing the Netatalk service over the network, requiring network connectivity to the affected machine. Exploitation would involve sending a crafted request that manipulates the SQL query within the CNID backend, potentially without needing any elevated privileges on the host.

Generated by OpenCVE AI on May 21, 2026 at 10:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply vendor patch when available.
  • Restrict network access to the Netatalk service to trusted hosts or implement firewall rules to block unauthenticated or untrusted traffic.
  • Monitor Netatalk logs for unusual SQL query activity and investigate any suspicious events.

Generated by OpenCVE AI on May 21, 2026 at 10:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-62801 netatalk security update
History

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 3.1.0 through 4.4.2, sql injection in mysql cnid backend. Fixed in 4.4.3. An SQL injection vulnerability in the MySQL CNID backend in Netatalk 3.1.0 through 4.4.2 allows a remote authenticated attacker to obtain unauthorized access to data, modify data, or cause a denial of service.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 3.1.0 through 4.4.2, sql injection in mysql cnid backend. Fixed in 4.4.3.
Title SQL injection in MySQL CNID backend
Weaknesses CWE-89
References
Metrics cvssV3_1

{'score': 8.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:52:06.407Z

Reserved: 2026-05-05T07:24:42.291Z

Link: CVE-2026-44047

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:20.173

Modified: 2026-05-21T09:16:26.920

Link: CVE-2026-44047

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:00:11Z

Weaknesses