CVE-2026-40193
LDAP Injection in maddy Mail Server Enables Identity Spoofing
Publication date: 2026-04-16
Last updated on: 2026-04-22
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| maddy_project | maddy | to 0.9.3 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-90 | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-40193 is an LDAP injection vulnerability in the maddy mail server's auth.ldap module affecting versions prior to 0.9.3. The vulnerability occurs because user-supplied usernames are directly inserted into LDAP search filters and distinguished name (DN) strings without proper escaping. This improper handling allows attackers with network access to the SMTP submission or IMAP interface to inject arbitrary LDAP filter expressions through the username field in authentication commands.
Exploitation of this vulnerability enables attackers to spoof identities by manipulating filter results to authenticate as another user, enumerate LDAP directory contents by injecting wildcard filters, and extract sensitive LDAP attribute values through blind injection or timing side-channel attacks.
The root cause is the failure to use the available ldap.EscapeFilter() function to sanitize usernames before embedding them into LDAP queries, leading to injection opportunities.
How can this vulnerability impact me? :
This vulnerability can have serious impacts including:
- Identity spoofing: Attackers can authenticate as other users by injecting LDAP filters in the username field.
- LDAP directory enumeration: Attackers can discover user accounts and directory structure by injecting wildcard filters and analyzing error responses.
- Sensitive data extraction: Attackers can extract LDAP attribute values, including password hashes and authorization data, using blind LDAP injection techniques and timing side-channel attacks.
Overall, this leads to unauthorized access to confidential information and potential compromise of user identities within the mail server environment.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of this LDAP injection vulnerability involves monitoring authentication attempts on the SMTP submission (port 587) and IMAP (ports 993/143) interfaces for suspicious username inputs that contain LDAP filter special characters or crafted LDAP filter expressions.
Since the vulnerability allows injection through the username field in AUTH PLAIN or LOGIN commands, you can detect exploitation attempts by capturing and analyzing network traffic for authentication requests with usernames containing LDAP special characters such as (, ), *, \, or crafted filters like "bob)(description=S*".
Suggested commands to detect such attempts include using packet capture tools like tcpdump or Wireshark to filter SMTP and IMAP authentication traffic and then searching for suspicious username patterns.
- tcpdump -i <interface> -A port 587 or port 993 or port 143 | grep -i 'AUTH PLAIN\|LOGIN'
- Use Wireshark to filter on smtp.auth or imap.auth and inspect username fields for LDAP special characters or unusual filter syntax.
Additionally, reviewing server logs for authentication failures or unusual authentication success patterns with usernames containing LDAP filter characters can help identify exploitation attempts.
What immediate steps should I take to mitigate this vulnerability?
The primary and immediate mitigation step is to upgrade the maddy mail server to version 0.9.3 or later, where the vulnerability has been fixed by properly escaping usernames in LDAP filter and DN constructions.
This update ensures that user-supplied usernames are sanitized using ldap.EscapeFilter() and ldap.EscapeDN(), preventing LDAP injection attacks.
Until the upgrade can be applied, consider restricting network access to the SMTP submission and IMAP authentication ports to trusted hosts only, to reduce the attack surface.
Monitor authentication logs for suspicious activity and consider implementing additional LDAP query logging or alerting to detect potential injection attempts.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
CVE-2026-40193 is an LDAP injection vulnerability in the maddy mail server's auth.ldap module that allows attackers to extract sensitive LDAP directory information, including password hashes and authorization data.
This unauthorized access to sensitive user data can lead to violations of data protection regulations such as GDPR and HIPAA, which require strict controls on personal and sensitive information to prevent unauthorized disclosure.
By enabling identity spoofing, directory enumeration, and extraction of sensitive attributes, the vulnerability undermines confidentiality and integrity of user data, potentially resulting in non-compliance with these standards.
Mitigation by upgrading to maddy version 0.9.3 or later is strongly advised to restore compliance by preventing unauthorized data access.