Description
Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack.
Published: 2026-05-21
Score: 7.4 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netatalk versions 1.5.0 through 4.2.2 use a broken cryptographic algorithm in the DHCAST128 UAM. The flaw can be broken by cryptanalysis, enabling a remote attacker to recover authentication credentials or impersonate a user, thereby undermining the integrity and authenticity of Netatalk sessions.

Affected Systems

Netatalk releases 1.5.0 to 4.2.2 are affected. The vulnerability was discovered in the DHCAST128 UAM implementation and is present in all builds within that range. No specific patch version is announced in the CVE data.

Risk and Exploitability

The vulnerability carries a CVSS score of 7.4, indicating high severity, and no EPSS score is provided, leaving exploitation probability unknown. It is not listed in the CISA KEV catalog. The attack vector is most likely remote over the network, where an attacker initiates or intercepts a Netatalk session that relies on the weak DHCAST128 UAM and then performs cryptanalytic analysis to compromise credentials.

Generated by OpenCVE AI on May 21, 2026 at 11:25 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Obtain and install the latest Netatalk release that removes the weak DHCAST128 UAM implementation; if a newer release is not yet available, upgrade to a version newer than 4.2.2.
  • If an immediate upgrade is not feasible, disable the DHCAST128 UAM authentication method in the Netatalk configuration and replace it with a stronger authentication scheme such as SSH or OTP for client access.
  • Limit Netatalk exposure by placing services behind a firewall or internal network segment so that only trusted hosts can reach the authentication endpoint.

Generated by OpenCVE AI on May 21, 2026 at 11:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 1.5.0 through 4.2.2, weak cryptography in dhcast128 uam. Fixed in 4.5.0. Netatalk 1.5.0 through 4.2.2 uses a broken cryptographic algorithm in the DHCAST128 UAM, which allows a remote attacker to obtain authentication credentials or impersonate a user via cryptanalytic attack.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 1.5.0 through 4.2.2, weak cryptography in dhcast128 uam. Fixed in 4.5.0.
Title Weak cryptography in DHCAST128 UAM
Weaknesses CWE-327
References
Metrics cvssV3_1

{'score': 7.4, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:N'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:52:19.003Z

Reserved: 2026-05-05T07:24:42.291Z

Link: CVE-2026-44053

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:20.910

Modified: 2026-05-21T09:16:27.537

Link: CVE-2026-44053

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:30:06Z

Weaknesses