Description
Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis.
Published: 2026-05-21
Score: 5.9 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability resides in Netatalk's DES‑ECB authentication mechanism, where the time taken to process authentication data leaks information about the validity of the supplied credentials. This timing side channel (CWE‑208) permits an attacker to measure response times and deduce whether authentication attempts are correct, enabling gradual discovery of valid credentials and facilitating brute‑force attacks with reduced effort.

Affected Systems

Netatalk versions 1.5.0 through 4.4.2 are affected. The product is the Netatalk server software that provides AFP file‑sharing for macOS clients. No other vendors or products are listed as affected.

Risk and Exploitability

The CVSS score of 5.9 indicates moderate severity. No EPSS data is available, so the likelihood of exploitation remains uncertain, although the presence of a timing side channel suggests realistic risk for attackers with network access. The vulnerability is not listed in the CISA KEV catalog, meaning no confirmed public exploits exist. Attacks would require connectivity to the Netatalk service and the ability to measure response times accurately; attackers would typically target the service over the network interface, which is the inferred attack vector based on the nature of the service.

Generated by OpenCVE AI on May 21, 2026 at 11:09 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to the latest Netatalk release, which addresses the DES‑ECB timing side channel.
  • If an immediate upgrade is not possible, limit external access to the Netatalk service to trusted IP ranges and apply firewall restrictions.
  • Implement monitoring of authentication attempts and consider rate‑limiting responses to reduce the feasibility of timing attacks.

Generated by OpenCVE AI on May 21, 2026 at 11:09 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 1.5.0 through 4.4.2, des-ecb auth with timing side channel. Fixed in 4.5.0. Netatalk 1.5.0 through 4.4.2 uses DES-ECB for authentication with a timing side channel, which allows a remote attacker to recover authentication credentials via timing analysis.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 1.5.0 through 4.4.2, des-ecb auth with timing side channel. Fixed in 4.5.0.
Title DES-ECB auth with timing side channel
Weaknesses CWE-208
References
Metrics cvssV3_1

{'score': 5.9, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:N/A:N'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:52:32.428Z

Reserved: 2026-05-05T07:25:12.313Z

Link: CVE-2026-44061

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:21.687

Modified: 2026-05-21T09:16:28.350

Link: CVE-2026-44061

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:15:09Z

Weaknesses