Netatalk Security Advisory
| Subject | Predictable afpd session token |
|---|---|
| CVE ID# | CVE-2026-44054 |
| Severity | Medium |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 2.0.0 - 4.4.2 |
| Summary | AFP session tokens are derived from the process ID, making them enumerable by an attacker |
Description
AFP session reconnect tokens are predictable rather than cryptographically random. An authenticated user may be able to abuse the reconnect path to terminate processes on the host, causing denial of service.
Patch Availability
Apply CVE-2026-44054.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H (6.5)
Workaround
Restrict AFP access to trusted networks until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
