Description
Incomplete sanitization of extended attribute (EA) path components in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to write to files outside the intended metadata namespace via crafted EA names.
Published: 2026-05-21
Score: 7.6 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The flaw exists in Netatalk 2.1.0 through 4.4.2, where extended attribute (EA) path components are not fully sanitized. A remote authenticated attacker can craft EA names containing path traversal sequences, leading the server to write files outside the intended metadata namespace. This is a classic directory traversal weakness (CWE‑22) that enables arbitrary file modification beyond the allowed scope, potentially compromising system data integrity and confidentiality.

Affected Systems

Netatalk (Netatalk) is affected in all releases from version 2.1.0 up to and including 4.4.2.

Risk and Exploitability

The CVSS score of 7.6 signals a high severity vulnerability. EPSS is not available, and the vulnerability is not listed in CISA's KEV catalog. Based on the description and the fact that Netatalk is a network file‑sharing service, it is inferred that the attack vector is remote. A remote authenticated attacker could craft a special EA request containing path traversal sequences that cause the server to write files outside the intended metadata namespace, potentially exposing sensitive data or enabling arbitrary file modification.

Generated by OpenCVE AI on May 21, 2026 at 11:07 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or update to a fixed version, if one is released.
  • Disable or restrict EA path handling in older Netatalk installations if an upgrade is not immediately possible, to close the directory traversal avenue.
  • Apply network‑level restrictions so that only trusted systems can access the Netatalk service, reducing the exposure to remote exploitation.

Generated by OpenCVE AI on May 21, 2026 at 11:07 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-62801 netatalk security update
History

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.1.0 through 4.4.2, ea path traversal via incomplete sanitization. Fixed in 4.4.3. Incomplete sanitization of extended attribute (EA) path components in Netatalk 2.1.0 through 4.4.2 allows a remote authenticated attacker to write to files outside the intended metadata namespace via crafted EA names.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 2.1.0 through 4.4.2, ea path traversal via incomplete sanitization. Fixed in 4.4.3.
Title EA path traversal via incomplete sanitization
Weaknesses CWE-22
References
Metrics cvssV3_1

{'score': 7.6, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:H/A:L'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:52:46.645Z

Reserved: 2026-05-05T07:25:20.196Z

Link: CVE-2026-44068

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:22.473

Modified: 2026-05-21T09:16:29.043

Link: CVE-2026-44068

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:15:09Z

Weaknesses