Bug 2458858 (CVE-2026-40193)
| Summary: | CVE-2026-40193 maddy: maddy: Identity spoofing and information disclosure via LDAP injection | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | high | Docs Contact: | |
| Priority: | high | ||
| Version: | unspecified | Keywords: | Security |
| Target Milestone: | --- | ||
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in maddy, a composable mail server. This LDAP (Lightweight Directory Access Protocol) injection vulnerability allows a remote attacker to inject arbitrary LDAP filter expressions into username fields during authentication. By exploiting this, an attacker can achieve identity spoofing, enabling them to authenticate as other users. Additionally, this flaw can lead to the enumeration of the LDAP directory and the blind extraction of sensitive LDAP attribute values.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
|
Description
OSIDB Bzimport
2026-04-16 00:01:19 UTC
|