Netatalk Security Advisory
| Subject | Bitwise OR logic bug enables shell injection |
|---|---|
| CVE ID# | CVE-2026-44055 |
| Severity | High |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.1.4 - 4.4.2 |
| Summary | A bitwise-OR logic error causes user information to be appended to a shell command without proper escaping |
Description
When file change event notification scripts are enabled, user identity data may be passed to a shell command without sufficient handling. In some directory-service-backed account environments, an authenticated AFP session may be able to execute commands as the session user.
Patch Availability
Apply CVE-2026-44055.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H (7.5)
Workaround
Disable FCE event command integrations (remove fce notify script from afp.conf) until patched,
and restrict account names to a safe character set where possible.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
