CVE-2026-40606
LDAP Injection in mitmproxy's ProxyAuth Allows Authentication Bypass
Publication date: 2026-04-21
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| mitmproxy | mitmproxy | to 12.2.2 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-90 | The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in mitmproxy allows a malicious client to bypass LDAP authentication due to improper sanitization of the username input. This could potentially lead to unauthorized access to systems that rely on mitmproxy's LDAP proxy authentication.
Since the vulnerability allows authentication bypass with low confidentiality and integrity impact, it may increase the risk of unauthorized access to sensitive data or systems. This could affect compliance with standards and regulations such as GDPR or HIPAA, which require proper access controls and protection of personal or sensitive information.
However, the vulnerability only affects mitmproxy instances that have the proxyauth option with LDAP enabled, which is not the default setting, and the overall severity is moderate with limited impact.
Can you explain this vulnerability to me?
CVE-2026-40606 is an LDAP Injection vulnerability in mitmproxy versions 12.2.1 and earlier. It occurs in the built-in LDAP proxy authentication feature when the proxyauth option with LDAP is enabled, which is not the default setting.
The vulnerability arises because the username input is not properly sanitized before being used in LDAP queries. This allows a malicious client to manipulate the LDAP query and bypass authentication controls.
This flaw is classified as CWE-90: Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection'), meaning special characters in the username can alter the intended LDAP query logic.
How can this vulnerability impact me? :
This vulnerability allows an attacker to bypass authentication on mitmproxy instances that use LDAP proxy authentication with the proxyauth option enabled.
The attacker does not need any privileges or user interaction to exploit this issue, but the attack complexity is high, requiring specific conditions.
The impact includes limited confidentiality and integrity exposure, meaning some data could be accessed or modified, but availability is not affected.
Overall, the severity is moderate with a CVSS v3.1 base score of 4.8.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects mitmproxy instances that have the proxyauth option enabled with LDAP authentication. Detection involves verifying if your mitmproxy setup uses LDAP proxy authentication with the proxyauth option enabled.
Since the vulnerability is due to improper sanitization of usernames in LDAP queries, monitoring LDAP authentication logs for unusual or malformed username inputs that could indicate LDAP injection attempts may help detect exploitation attempts.
There are no specific commands provided in the resources to detect this vulnerability directly.
What immediate steps should I take to mitigate this vulnerability?
The primary mitigation step is to upgrade mitmproxy to version 12.2.2 or later, where the vulnerability has been fixed by properly sanitizing the username input in LDAP proxy authentication.
If upgrading immediately is not possible, consider disabling the proxyauth option with LDAP authentication, as this feature is not enabled by default and only affected instances using it are vulnerable.
Additionally, monitor your LDAP authentication logs for suspicious activity and restrict access to the mitmproxy instance to trusted clients to reduce the risk of exploitation.