CWE-90
Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
CVE-2026-25560 (GCVE-0-2026-25560)
Vulnerability from cvelistv5 – Published: 2026-02-07 21:56 – Updated: 2026-05-11 23:11
VLAI
Title
WeKan < 8.19 LDAP Authentication Filter Injection
Summary
WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication.
Severity
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/wekan/wekan/commit/0b0e16c3eae… | patch |
| https://wekan.fi/ | product |
| https://www.vulncheck.com/advisories/wekan-ldap-a… | third-party-advisory |
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-25560",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-02-10T16:19:22.225789Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-02-10T16:19:54.056Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "WeKan",
"repo": "https://github.com/wekan/wekan",
"vendor": "WeKan",
"versions": [
{
"lessThan": "8.19",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:wekan_project:wekan:*:*:*:*:*:*:*:*",
"versionEndExcluding": "8.20",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
]
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Joshua Rogers"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication."
}
],
"value": "WeKan versions prior to 8.19 contain an LDAP filter injection vulnerability in LDAP authentication. User-supplied username input is incorporated into LDAP search filters and DN-related values without adequate escaping, allowing an attacker to manipulate LDAP queries during authentication."
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "NONE",
"attackVector": "NETWORK",
"baseScore": 8.7,
"baseSeverity": "HIGH",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-05-11T23:11:09.697Z",
"orgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"shortName": "VulnCheck"
},
"references": [
{
"tags": [
"patch"
],
"url": "https://github.com/wekan/wekan/commit/0b0e16c3eae28bbf453d33a81a9c58ce7db6d5bb"
},
{
"tags": [
"product"
],
"url": "https://wekan.fi/"
},
{
"tags": [
"third-party-advisory"
],
"url": "https://www.vulncheck.com/advisories/wekan-ldap-authentication-filter-injection"
}
],
"source": {
"discovery": "UNKNOWN"
},
"title": "WeKan \u003c 8.19 LDAP Authentication Filter Injection",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "83251b91-4cc7-4094-a5c7-464a1b83ea10",
"assignerShortName": "VulnCheck",
"cveId": "CVE-2026-25560",
"datePublished": "2026-02-07T21:56:19.152Z",
"dateReserved": "2026-02-02T20:12:33.396Z",
"dateUpdated": "2026-05-11T23:11:09.697Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-27860 (GCVE-0-2026-27860)
Vulnerability from cvelistv5 – Published: 2026-03-27 08:10 – Updated: 2026-03-27 12:33
VLAI
Summary
If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot's LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known.
Severity
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://documentation.open-xchange.com/dovecot/se… | vendor-advisory |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| Open-Xchange GmbH | OX Dovecot Pro |
Affected:
0 , ≤ 3.1.0
(semver)
Affected: 0 , ≤ 2.4.0 (semver) |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-27860",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-27T12:33:33.962683Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T12:33:57.043Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"modules": [
"core"
],
"product": "OX Dovecot Pro",
"vendor": "Open-Xchange GmbH",
"versions": [
{
"lessThanOrEqual": "3.1.0",
"status": "affected",
"version": "0",
"versionType": "semver"
},
{
"lessThanOrEqual": "2.4.0",
"status": "affected",
"version": "0",
"versionType": "semver"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "If auth_username_chars is empty, it is possible to inject arbitrary LDAP filter to Dovecot\u0027s LDAP authentication. This leads to potentially bypassing restrictions and allows probing of LDAP structure. Do not clear out auth_username_chars, or install fixed version. No publicly available exploits are known."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "HIGH",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 3.7,
"baseSeverity": "LOW",
"confidentialityImpact": "LOW",
"integrityImpact": "NONE",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:N/A:N",
"version": "3.1"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "cwe"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-27T12:33:33.940Z",
"orgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
"shortName": "OX"
},
"references": [
{
"tags": [
"vendor-advisory"
],
"url": "https://documentation.open-xchange.com/dovecot/security/advisories/csaf/2026/oxdc-adv-2026-0001.json"
}
],
"source": {
"defect": "DOV-8775",
"discovery": "EXTERNAL"
}
}
},
"cveMetadata": {
"assignerOrgId": "8ce71d90-2354-404b-a86e-bec2cc4e6981",
"assignerShortName": "OX",
"cveId": "CVE-2026-27860",
"datePublished": "2026-03-27T08:10:22.695Z",
"dateReserved": "2026-02-24T08:46:09.374Z",
"dateUpdated": "2026-03-27T12:33:57.043Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29131 (GCVE-0-2026-29131)
Vulnerability from cvelistv5 – Published: 2026-04-02 08:46 – Updated: 2026-04-02 13:31
VLAI
Title
PGP Decryption Recipient LDAP Injection
Summary
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a specially crafted email address to read the contents of emails encrypted for other users.
Severity
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://downloads.seppmail.com/extrelnotes/150/ER… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SEPPmail | Secure Email Gateway |
Affected:
0 , < 15.0.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29131",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T13:16:53.366492Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T13:31:31.492Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Email Gateway",
"vendor": "SEPPmail",
"versions": [
{
"lessThan": "15.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "15.0.3",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andris Suter-D\u00f6rig"
},
{
"lang": "en",
"type": "coordinator",
"value": "Matteo Scarlata"
},
{
"lang": "en",
"type": "coordinator",
"value": "Kenny Paterson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a specially crafted email address to read the contents of emails encrypted for other users."
}
],
"value": "SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a specially crafted email address to read the contents of emails encrypted for other users."
}
],
"impacts": [
{
"capecId": "CAPEC-136",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-136 LDAP Injection"
}
]
},
{
"capecId": "CAPEC-116",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-116 Excavation"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 4.9,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "LOW",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T08:46:15.928Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-31T14:22:00.000Z",
"value": "Vulnerability disclosed to SEPPmail"
},
{
"lang": "en",
"time": "2026-03-03T00:00:00.000Z",
"value": "Version 15.0.3 released"
}
],
"title": "PGP Decryption Recipient LDAP Injection",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2026-29131",
"datePublished": "2026-04-02T08:46:15.928Z",
"dateReserved": "2026-03-04T09:08:03.277Z",
"dateUpdated": "2026-04-02T13:31:31.492Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-29138 (GCVE-0-2026-29138)
Vulnerability from cvelistv5 – Published: 2026-04-02 08:47 – Updated: 2026-04-02 14:32
VLAI
Title
PGP Decryption Sender LDAP Injection
Summary
SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a specially crafted email address to claim another user's PGP signature as their own.
Severity
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://downloads.seppmail.com/extrelnotes/150/ER… | release-notes |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| SEPPmail | Secure Email Gateway |
Affected:
0 , < 15.0.3
(custom)
|
Credits
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-29138",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-02T14:32:47.151158Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T14:32:59.953Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"defaultStatus": "unaffected",
"product": "Secure Email Gateway",
"vendor": "SEPPmail",
"versions": [
{
"lessThan": "15.0.3",
"status": "affected",
"version": "0",
"versionType": "custom"
}
]
}
],
"cpeApplicability": [
{
"nodes": [
{
"cpeMatch": [
{
"criteria": "cpe:2.3:a:seppmail:seppmail_secure_email_gateway:*:*:*:*:*:*:*:*",
"versionEndExcluding": "15.0.3",
"versionStartIncluding": "0",
"vulnerable": true
}
],
"negate": false,
"operator": "OR"
}
],
"operator": "OR"
}
],
"credits": [
{
"lang": "en",
"type": "finder",
"value": "Andris Suter-D\u00f6rig"
},
{
"lang": "en",
"type": "coordinator",
"value": "Matteo Scarlata"
},
{
"lang": "en",
"type": "coordinator",
"value": "Kenny Paterson"
}
],
"descriptions": [
{
"lang": "en",
"supportingMedia": [
{
"base64": false,
"type": "text/html",
"value": "SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a specially crafted email address to claim another user\u0027s PGP signature as their own."
}
],
"value": "SEPPmail Secure Email Gateway before version 15.0.3 allows attackers with a specially crafted email address to claim another user\u0027s PGP signature as their own."
}
],
"impacts": [
{
"capecId": "CAPEC-136",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-136 LDAP Injection"
}
]
},
{
"capecId": "CAPEC-194",
"descriptions": [
{
"lang": "en",
"value": "CAPEC-194 Fake the Source of Data"
}
]
}
],
"metrics": [
{
"cvssV4_0": {
"Automatable": "NOT_DEFINED",
"Recovery": "NOT_DEFINED",
"Safety": "NOT_DEFINED",
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"exploitMaturity": "NOT_DEFINED",
"privilegesRequired": "NONE",
"providerUrgency": "NOT_DEFINED",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "LOW",
"userInteraction": "NONE",
"valueDensity": "NOT_DEFINED",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:N/VI:N/VA:N/SC:N/SI:L/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "NONE",
"vulnerabilityResponseEffort": "NOT_DEFINED"
},
"format": "CVSS",
"scenarios": [
{
"lang": "en",
"value": "GENERAL"
}
]
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90 Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-02T08:47:49.544Z",
"orgId": "455daabc-a392-441d-aa46-37d35189897c",
"shortName": "NCSC.ch"
},
"references": [
{
"tags": [
"release-notes"
],
"url": "https://downloads.seppmail.com/extrelnotes/150/ERN15.0.html#seppmail-vulnerability-disclosure-1503"
}
],
"source": {
"discovery": "EXTERNAL"
},
"timeline": [
{
"lang": "en",
"time": "2025-10-31T14:22:00.000Z",
"value": "Vulnerability disclosed to SEPPmail"
},
{
"lang": "en",
"time": "2026-03-03T00:00:00.000Z",
"value": "Version 15.0.3 released"
}
],
"title": "PGP Decryption Sender LDAP Injection",
"x_generator": {
"engine": "Vulnogram 0.5.0"
}
}
},
"cveMetadata": {
"assignerOrgId": "455daabc-a392-441d-aa46-37d35189897c",
"assignerShortName": "NCSC.ch",
"cveId": "CVE-2026-29138",
"datePublished": "2026-04-02T08:47:49.544Z",
"dateReserved": "2026-03-04T09:08:03.277Z",
"dateUpdated": "2026-04-02T14:32:59.953Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-31828 (GCVE-0-2026-31828)
Vulnerability from cvelistv5 – Published: 2026-03-10 21:41 – Updated: 2026-03-11 15:59
VLAI
Title
Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction
Summary
Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26.
Severity
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/parse-community/parse-server/s… | x_refsource_CONFIRM |
| https://github.com/parse-community/parse-server/r… | x_refsource_MISC |
| https://github.com/parse-community/parse-server/r… | x_refsource_MISC |
Impacted products
1 product
| Vendor | Product | Version | |
|---|---|---|---|
| parse-community | parse-server |
Affected:
>= 9.0.0 < 9.5.2-alpha.13
Affected: < 8.6.26 |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-31828",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-11T15:51:50.477327Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-11T15:59:10.800Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "parse-server",
"vendor": "parse-community",
"versions": [
{
"status": "affected",
"version": "\u003e= 9.0.0 \u003c 9.5.2-alpha.13"
},
{
"status": "affected",
"version": "\u003c 8.6.26"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "Parse Server is an open source backend that can be deployed to any infrastructure that can run Node.js. Prior to 9.5.2-alpha.13 and 8.6.26, the LDAP authentication adapter is vulnerable to LDAP injection. User-supplied input (authData.id) is interpolated directly into LDAP Distinguished Names (DN) and group search filters without escaping special characters. This allows an attacker with valid LDAP credentials to manipulate the bind DN structure and to bypass group membership checks. This enables privilege escalation from any authenticated LDAP user to a member of any restricted group. The vulnerability affects Parse Server deployments that use the LDAP authentication adapter with group-based access control. This vulnerability is fixed in 9.5.2-alpha.13 and 8.6.26."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6,
"baseSeverity": "MEDIUM",
"privilegesRequired": "LOW",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "NONE",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "NONE",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-10T21:41:48.146Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/parse-community/parse-server/security/advisories/GHSA-7m6r-fhh7-r47c"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/8.6.26",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/8.6.26"
},
{
"name": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/parse-community/parse-server/releases/tag/9.5.2-alpha.13"
}
],
"source": {
"advisory": "GHSA-7m6r-fhh7-r47c",
"discovery": "UNKNOWN"
},
"title": "Parse Server has an LDAP injection via unsanitized user input in DN and group filter construction"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-31828",
"datePublished": "2026-03-10T21:41:48.146Z",
"dateReserved": "2026-03-09T17:41:56.077Z",
"dateUpdated": "2026-03-11T15:59:10.800Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33289 (GCVE-0-2026-33289)
Vulnerability from cvelistv5 – Published: 2026-03-19 23:09 – Updated: 2026-03-20 14:58
VLAI
Title
SuiterCRM has LDAP Filter Injection in Authentication Module
Summary
SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue.
Severity
8.8 (High)
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/SuiteCRM/SuiteCRM/security/adv… | x_refsource_CONFIRM |
| https://docs.suitecrm.com/admin/releases/7.15.x | x_refsource_MISC |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33289",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-20T14:58:50.559977Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-20T14:58:56.382Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "SuiteCRM",
"vendor": "SuiteCRM",
"versions": [
{
"status": "affected",
"version": "\u003c 7.15.1"
},
{
"status": "affected",
"version": "\u003e= 8.0.0, \u003c 8.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "SuiteCRM is an open-source, enterprise-ready Customer Relationship Management (CRM) software application. Prior to versions 7.15.1 and 8.9.3, an LDAP Injection vulnerability exists in the SuiteCRM authentication flow. The application fails to properly sanitize user-supplied input before embedding it into the LDAP search filter. By injecting LDAP control characters, an unauthenticated attacker can manipulate the query logic, which can lead to authentication bypass or information disclosure. Versions 7.15.1 and 8.9.3 patch the issue."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "HIGH",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "HIGH",
"privilegesRequired": "LOW",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-19T23:09:07.028Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/SuiteCRM/SuiteCRM/security/advisories/GHSA-26vx-rj47-x599"
},
{
"name": "https://docs.suitecrm.com/admin/releases/7.15.x",
"tags": [
"x_refsource_MISC"
],
"url": "https://docs.suitecrm.com/admin/releases/7.15.x"
}
],
"source": {
"advisory": "GHSA-26vx-rj47-x599",
"discovery": "UNKNOWN"
},
"title": "SuiterCRM has LDAP Filter Injection in Authentication Module"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33289",
"datePublished": "2026-03-19T23:09:07.028Z",
"dateReserved": "2026-03-18T18:55:47.426Z",
"dateUpdated": "2026-03-20T14:58:56.382Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-33751 (GCVE-0-2026-33751)
Vulnerability from cvelistv5 – Published: 2026-03-25 18:47 – Updated: 2026-03-25 19:11
VLAI
Title
n8n Vulnerable to LDAP Filter Injection in LDAP Node
Summary
n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node's filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node's search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration. The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook). The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the LDAP node by adding `n8n-nodes-base.ldap` to the `NODES_EXCLUDE` environment variable, and/or avoid passing unvalidated external user input into LDAP node search parameters via expressions. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures.
Severity
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
1 reference
| URL | Tags |
|---|---|
| https://github.com/n8n-io/n8n/security/advisories… | x_refsource_CONFIRM |
Impacted products
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-33751",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-03-25T19:10:55.970733Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T19:11:15.782Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "n8n",
"vendor": "n8n-io",
"versions": [
{
"status": "affected",
"version": "\u003c 1.123.27"
},
{
"status": "affected",
"version": "\u003e= 2.0.0-rc.0, \u003c 2.13.3"
},
{
"status": "affected",
"version": "= 2.14.0"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "n8n is an open source workflow automation platform. Prior to versions 1.123.27, 2.13.3, and 2.14.1, a flaw in the LDAP node\u0027s filter escape logic allowed LDAP metacharacters to pass through unescaped when user-controlled input was interpolated into LDAP search filters. In workflows where external user input is passed via expressions into the LDAP node\u0027s search parameters, an attacker could manipulate the constructed filter to retrieve unintended LDAP records or bypass authentication checks implemented in the workflow. Exploitation requires a specific workflow configuration. The LDAP node must be used with user-controlled input passed via expressions (e.g., from a form or webhook). The issue has been fixed in n8n versions 1.123.27, 2.13.3, and 2.14.1. Users should upgrade to one of these versions or later to remediate the vulnerability. If upgrading is not immediately possible, administrators should consider the following temporary mitigations: Limit workflow creation and editing permissions to fully trusted users only, disable the LDAP node by adding `n8n-nodes-base.ldap` to the `NODES_EXCLUDE` environment variable, and/or avoid passing unvalidated external user input into LDAP node search parameters via expressions. These workarounds do not fully remediate the risk and should only be used as short-term mitigation measures."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 6.3,
"baseSeverity": "MEDIUM",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "NONE",
"subConfidentialityImpact": "LOW",
"subIntegrityImpact": "NONE",
"userInteraction": "NONE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:N/VC:L/VI:L/VA:N/SC:L/SI:N/SA:N",
"version": "4.0",
"vulnAvailabilityImpact": "NONE",
"vulnConfidentialityImpact": "LOW",
"vulnIntegrityImpact": "LOW"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-03-25T18:47:39.149Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/n8n-io/n8n/security/advisories/GHSA-w83q-mcmx-mh42"
}
],
"source": {
"advisory": "GHSA-w83q-mcmx-mh42",
"discovery": "UNKNOWN"
},
"title": "n8n Vulnerable to LDAP Filter Injection in LDAP Node"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-33751",
"datePublished": "2026-03-25T18:47:39.149Z",
"dateReserved": "2026-03-23T18:30:14.125Z",
"dateUpdated": "2026-03-25T19:11:15.782Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-34578 (GCVE-0-2026-34578)
Vulnerability from cvelistv5 – Published: 2026-04-09 14:34 – Updated: 2026-04-09 17:45
VLAI
Title
OPNsense has an LDAP Injection via Unsanitized Username in Authentication
Summary
OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense's LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6.
Severity
8.2 (High)
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
2 references
| URL | Tags |
|---|---|
| https://github.com/opnsense/core/security/advisor… | x_refsource_CONFIRM |
| https://github.com/opnsense/core/commit/016f66cb4… | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-34578",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-09T17:45:17.527281Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T17:45:23.099Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"references": [
{
"tags": [
"exploit"
],
"url": "https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54"
}
],
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "core",
"vendor": "opnsense",
"versions": [
{
"status": "affected",
"version": "\u003c 26.1.6"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "OPNsense is a FreeBSD based firewall and routing platform. Prior to 26.1.6, OPNsense\u0027s LDAP authentication connector passes the login username directly into an LDAP search filter without calling ldap_escape(). An unauthenticated attacker can inject LDAP filter metacharacters into the username field of the WebGUI login page to enumerate valid LDAP usernames in the configured directory. When the LDAP server configuration includes an Extended Query to restrict login to members of a specific group, the same injection can be used to bypass that group membership restriction and authenticate as any LDAP user whose password is known, regardless of group membership. This vulnerability is fixed in 26.1.6."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T14:34:20.158Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/opnsense/core/security/advisories/GHSA-jpm7-f59c-mp54"
},
{
"name": "https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/opnsense/core/commit/016f66cb4620cd48183fa97843f343bb71813c6e"
}
],
"source": {
"advisory": "GHSA-jpm7-f59c-mp54",
"discovery": "UNKNOWN"
},
"title": "OPNsense has an LDAP Injection via Unsanitized Username in Authentication"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-34578",
"datePublished": "2026-04-09T14:34:20.158Z",
"dateReserved": "2026-03-30T16:56:30.998Z",
"dateUpdated": "2026-04-09T17:45:23.099Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-39962 (GCVE-0-2026-39962)
Vulnerability from cvelistv5 – Published: 2026-04-09 16:37 – Updated: 2026-04-10 14:07
VLAI
Title
LDAP injection in MISP ApacheAuthenticate when using a user-controlled Apache environment variable
Summary
MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36.
Severity
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
4 references
| URL | Tags |
|---|---|
| https://github.com/MISP/MISP/security/advisories/… | x_refsource_CONFIRM |
| https://github.com/MISP/MISP/commit/380ee4136a7d9… | x_refsource_MISC |
| https://github.com/MISP/MISP/commit/d7d671ea8f582… | x_refsource_MISC |
| https://github.com/MISP/MISP/releases/tag/v2.5.36 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-39962",
"options": [
{
"Exploitation": "none"
},
{
"Automatable": "no"
},
{
"Technical Impact": "total"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-10T14:06:56.445635Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-10T14:07:02.751Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "MISP",
"vendor": "MISP",
"versions": [
{
"status": "affected",
"version": "\u003c 2.5.36"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "MISP is an open source threat intelligence and sharing platform. Prior to 2.5.36, improper neutralization of special elements in an LDAP query in ApacheAuthenticate.php allows LDAP injection via an unsanitized username value when ApacheAuthenticate.apacheEnv is configured to use a user-controlled server variable instead of REMOTE_USER (such as in certain proxy setups). An attacker able to control that value can manipulate the LDAP search filter and potentially bypass authentication constraints or cause unauthorized LDAP queries. This vulnerability is fixed in 2.5.36."
}
],
"metrics": [
{
"cvssV4_0": {
"attackComplexity": "LOW",
"attackRequirements": "PRESENT",
"attackVector": "NETWORK",
"baseScore": 8.8,
"baseSeverity": "HIGH",
"privilegesRequired": "NONE",
"subAvailabilityImpact": "HIGH",
"subConfidentialityImpact": "HIGH",
"subIntegrityImpact": "HIGH",
"userInteraction": "ACTIVE",
"vectorString": "CVSS:4.0/AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:L/SC:H/SI:H/SA:H",
"version": "4.0",
"vulnAvailabilityImpact": "LOW",
"vulnConfidentialityImpact": "HIGH",
"vulnIntegrityImpact": "HIGH"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-09T16:37:38.880Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/MISP/MISP/security/advisories/GHSA-mc53-48w8-9g63",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/MISP/MISP/security/advisories/GHSA-mc53-48w8-9g63"
},
{
"name": "https://github.com/MISP/MISP/commit/380ee4136a7d9ce2fe63fce06d517839f30aba10",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MISP/MISP/commit/380ee4136a7d9ce2fe63fce06d517839f30aba10"
},
{
"name": "https://github.com/MISP/MISP/commit/d7d671ea8f5822e91207dcad2003c35c30092a32",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MISP/MISP/commit/d7d671ea8f5822e91207dcad2003c35c30092a32"
},
{
"name": "https://github.com/MISP/MISP/releases/tag/v2.5.36",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/MISP/MISP/releases/tag/v2.5.36"
}
],
"source": {
"advisory": "GHSA-mc53-48w8-9g63",
"discovery": "UNKNOWN"
},
"title": "LDAP injection in MISP ApacheAuthenticate when using a user-controlled Apache environment variable"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-39962",
"datePublished": "2026-04-09T16:37:38.880Z",
"dateReserved": "2026-04-07T22:40:33.822Z",
"dateUpdated": "2026-04-10T14:07:02.751Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
CVE-2026-40193 (GCVE-0-2026-40193)
Vulnerability from cvelistv5 – Published: 2026-04-15 23:15 – Updated: 2026-04-16 14:23
VLAI
Title
Maddy Mail Server: LDAP Filter Injection via Unsanitized Username
Summary
maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated into LDAP search filters and DN strings via strings.ReplaceAll() without any LDAP filter escaping, despite the go-ldap/ldap/v3 library's ldap.EscapeFilter() function being available in the same import. This affects three code paths: the Lookup() filter, the AuthPlain() DN template, and the AuthPlain() filter. An attacker with network access to the SMTP submission or IMAP interface can inject arbitrary LDAP filter expressions through the username field in AUTH PLAIN or LOGIN commands. This enables identity spoofing by manipulating filter results to authenticate as another user, LDAP directory enumeration via wildcard filters, and blind extraction of LDAP attribute values using authentication responses as a boolean oracle or via timing side-channels between the two distinct failure paths. This issue has been fixed in version 0.9.3.
Severity
8.2 (High)
CWE
- CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
Assigner
References
3 references
| URL | Tags |
|---|---|
| https://github.com/foxcpp/maddy/security/advisori… | x_refsource_CONFIRM |
| https://github.com/foxcpp/maddy/commit/6a06337eb4… | x_refsource_MISC |
| https://github.com/foxcpp/maddy/releases/tag/v0.9.3 | x_refsource_MISC |
{
"containers": {
"adp": [
{
"metrics": [
{
"other": {
"content": {
"id": "CVE-2026-40193",
"options": [
{
"Exploitation": "poc"
},
{
"Automatable": "yes"
},
{
"Technical Impact": "partial"
}
],
"role": "CISA Coordinator",
"timestamp": "2026-04-16T14:23:43.299676Z",
"version": "2.0.3"
},
"type": "ssvc"
}
}
],
"providerMetadata": {
"dateUpdated": "2026-04-16T14:23:52.438Z",
"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
"shortName": "CISA-ADP"
},
"title": "CISA ADP Vulnrichment"
}
],
"cna": {
"affected": [
{
"product": "maddy",
"vendor": "foxcpp",
"versions": [
{
"status": "affected",
"version": "\u003c 0.9.3"
}
]
}
],
"descriptions": [
{
"lang": "en",
"value": "maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated into LDAP search filters and DN strings via strings.ReplaceAll() without any LDAP filter escaping, despite the go-ldap/ldap/v3 library\u0027s ldap.EscapeFilter() function being available in the same import. This affects three code paths: the Lookup() filter, the AuthPlain() DN template, and the AuthPlain() filter. An attacker with network access to the SMTP submission or IMAP interface can inject arbitrary LDAP filter expressions through the username field in AUTH PLAIN or LOGIN commands. This enables identity spoofing by manipulating filter results to authenticate as another user, LDAP directory enumeration via wildcard filters, and blind extraction of LDAP attribute values using authentication responses as a boolean oracle or via timing side-channels between the two distinct failure paths. This issue has been fixed in version 0.9.3."
}
],
"metrics": [
{
"cvssV3_1": {
"attackComplexity": "LOW",
"attackVector": "NETWORK",
"availabilityImpact": "NONE",
"baseScore": 8.2,
"baseSeverity": "HIGH",
"confidentialityImpact": "HIGH",
"integrityImpact": "LOW",
"privilegesRequired": "NONE",
"scope": "UNCHANGED",
"userInteraction": "NONE",
"vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
"version": "3.1"
}
}
],
"problemTypes": [
{
"descriptions": [
{
"cweId": "CWE-90",
"description": "CWE-90: Improper Neutralization of Special Elements used in an LDAP Query (\u0027LDAP Injection\u0027)",
"lang": "en",
"type": "CWE"
}
]
}
],
"providerMetadata": {
"dateUpdated": "2026-04-15T23:15:25.011Z",
"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"shortName": "GitHub_M"
},
"references": [
{
"name": "https://github.com/foxcpp/maddy/security/advisories/GHSA-5835-4gvc-32pc",
"tags": [
"x_refsource_CONFIRM"
],
"url": "https://github.com/foxcpp/maddy/security/advisories/GHSA-5835-4gvc-32pc"
},
{
"name": "https://github.com/foxcpp/maddy/commit/6a06337eb41fa87a35697366bcb71c3c962c44ba",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/foxcpp/maddy/commit/6a06337eb41fa87a35697366bcb71c3c962c44ba"
},
{
"name": "https://github.com/foxcpp/maddy/releases/tag/v0.9.3",
"tags": [
"x_refsource_MISC"
],
"url": "https://github.com/foxcpp/maddy/releases/tag/v0.9.3"
}
],
"source": {
"advisory": "GHSA-5835-4gvc-32pc",
"discovery": "UNKNOWN"
},
"title": "Maddy Mail Server: LDAP Filter Injection via Unsanitized Username"
}
},
"cveMetadata": {
"assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa",
"assignerShortName": "GitHub_M",
"cveId": "CVE-2026-40193",
"datePublished": "2026-04-15T23:15:25.011Z",
"dateReserved": "2026-04-09T20:59:17.620Z",
"dateUpdated": "2026-04-16T14:23:52.438Z",
"state": "PUBLISHED"
},
"dataType": "CVE_RECORD",
"dataVersion": "5.2"
}
Mitigation ID: MIT-5
Phase: Implementation
Strategy: Input Validation
Description:
- Assume all input is malicious. Use an "accept known good" input validation strategy, i.e., use a list of acceptable inputs that strictly conform to specifications. Reject any input that does not strictly conform to specifications, or transform it into something that does.
- When performing input validation, consider all potentially relevant properties, including length, type of input, the full range of acceptable values, missing or extra inputs, syntax, consistency across related fields, and conformance to business rules. As an example of business rule logic, "boat" may be syntactically valid because it only contains alphanumeric characters, but it is not valid if the input is only expected to contain colors such as "red" or "blue."
- Do not rely exclusively on looking for malicious or malformed inputs. This is likely to miss at least one undesirable input, especially if the code's environment changes. This can give attackers enough room to bypass the intended validation. However, denylists can be useful for detecting potential attacks or determining which inputs are so malformed that they should be rejected outright.
CAPEC-136: LDAP Injection
An attacker manipulates or crafts an LDAP query for the purpose of undermining the security of the target. Some applications use user input to create LDAP queries that are processed by an LDAP server. For example, a user might provide their username during authentication and the username might be inserted in an LDAP query during the authentication process. An attacker could use this input to inject additional commands into an LDAP query that could disclose sensitive information. For example, entering a * in the aforementioned query might return information about all users on the system. This attack is very similar to an SQL injection attack in that it manipulates a query to gather additional information or coerce a particular return value.