Netatalk Security Advisory
| Subject | Shell injection via volume path |
|---|---|
| CVE ID# | CVE-2026-44076 |
| Severity | Medium |
| Disclosure Date | 2026/05/13 |
| Affected Versions | 3.1.0 - 4.4.2 |
| Summary | A configured volume path is embedded in a single-quoted shell command |
Description
Spotlight service setup embeds administrator-configured volume paths in shell commands without sufficiently handling quoting edge cases. This may allow command execution at service startup or reconfiguration if untrusted users can influence configured paths; it is not remotely exploitable through AFP alone.
Patch Availability
Apply CVE-2026-44076.patch to a Netatalk 4.4.2 source tree to hotfix your local Netatalk deployment.
Alternatively, upgrade to Netatalk 4.4.3 or later, which includes the patch.
Netatalk administrators are advised to upgrade to this version or apply the patch as soon as possible.
CVSS Calculation
CVSS:3.1/AV:L/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H (6.7)
Workaround
Restrict write access to Netatalk configuration files and avoid paths containing shell metacharacters until patched.
Credits
Vulnerability reported by:
@00redbeer
Patch developed by:
Daniel Markstedt of the Netatalk team
References
Go back to the Security Policy.
