CVE-2026-44054
Predictable Session Token in Netatalk
Publication date: 2026-05-21
Last updated on: 2026-05-21
Assigner: securin
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| netatalk | netatalk | to 4.4.2 (inc) |
| netatalk | netatalk | 4.4.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-330 | The product uses insufficiently random numbers or values in a security context that depends on unpredictable numbers. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Netatalk versions 2.0.0 through 4.4.2 and involves a predictable afpd session token. This means that the token used to manage sessions in the Apple Filing Protocol daemon (afpd) can be guessed or predicted by an attacker. The issue was fixed in version 4.4.3.
How can this vulnerability impact me? :
Because the afpd session token is predictable, an attacker could potentially hijack or interfere with active sessions. According to the CVSS score (6.5) and vector, the vulnerability can be exploited remotely with low complexity and requires low privileges, but it does not impact confidentiality or integrity. However, it can cause a high impact on availability, meaning it could disrupt service or cause denial of service.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability in Netatalk versions 2.0.0 through 4.4.2 is fixed in version 4.4.3. Immediate mitigation should include upgrading Netatalk to version 4.4.3 or later.