Description
Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path.
Published: 2026-05-21
Score: 6.7 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

Netatalk 3.1.0 through 4.4.2 permits a local privileged user to craft a volume path containing shell metacharacters that the server later interprets and executes. This is a classic operating‑system command injection classified as CWE‑78. The flaw allows the attacker to run arbitrary commands with the privileges of the Netatalk process, potentially enabling full system compromise if the process runs with elevated rights.

Affected Systems

The affected product is Netatalk, a server implementation of the AppleTalk networking protocol. All released releases from 3.1.0 up to and including 4.4.2 are vulnerable; it is not confirmed whether later versions fix the issue.

Risk and Exploitability

The CVSS score of 6.7 reflects moderate severity. No EPSS data is available, and the vulnerability is not listed in the CISA KEV catalog. An attacker must be a local user with the ability to create or modify a volume name or path; the server then parses that input and invokes the shell, executing injected commands. Because the attack requires a local privileged user, it does not allow remote exploitation, but it still permits arbitrary code execution with the service’s privileges.

Generated by OpenCVE AI on May 21, 2026 at 11:05 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply any available vendor patch or upgrade to a version where the vulnerability is fixed if a patch becomes available
  • If an immediate upgrade is not possible, limit or sanitize volume path input to disallow shell metacharacters or disable unnecessary volume‑path features
  • Continuously monitor server logs for unexpected mount or command execution activity to detect potential exploitation attempts

Generated by OpenCVE AI on May 21, 2026 at 11:05 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Debian DSA Debian DSA DSA-62801 netatalk security update
History

Thu, 21 May 2026 09:00:00 +0000

Type Values Removed Values Added
Description In Netatalk 3.1.0 through 4.4.2, shell injection via volume path. Fixed in 4.4.3. Insufficient sanitization of volume paths in Netatalk 3.1.0 through 4.4.2 allows a local privileged user to inject OS commands and execute arbitrary code via a crafted volume path.

Thu, 21 May 2026 08:45:00 +0000

Type Values Removed Values Added
First Time appeared Netatalk
Netatalk netatalk
Vendors & Products Netatalk
Netatalk netatalk

Thu, 21 May 2026 07:45:00 +0000

Type Values Removed Values Added
Description In Netatalk 3.1.0 through 4.4.2, shell injection via volume path. Fixed in 4.4.3.
Title Shell injection via volume path
Weaknesses CWE-78
References
Metrics cvssV3_1

{'score': 6.7, 'vector': 'CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Netatalk Netatalk
cve-icon MITRE

Status: PUBLISHED

Assigner: securin

Published:

Updated: 2026-05-21T07:52:56.770Z

Reserved: 2026-05-05T07:25:20.197Z

Link: CVE-2026-44076

cve-icon Vulnrichment

No data.

cve-icon NVD

Status : Received

Published: 2026-05-21T08:16:23.023

Modified: 2026-05-21T09:16:29.890

Link: CVE-2026-44076

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-21T11:15:09Z

Weaknesses