CVE-2026-4408
Modified Modified - Updated After Analysis
Remote Command Execution in Samba via Check Password Script Misconfiguration

Publication date: 2026-05-28

Last updated on: 2026-06-15

Assigner: Red Hat, Inc.

Description
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-28
Last Modified
2026-06-15
Generated
2026-06-17
AI Q&A
2026-05-28
EPSS Evaluated
2026-06-16
NVD
CVE-2026-4408
EUVD
EUVD-2026-32741
Affected Vendors & Products
Showing 5 associated CPEs
Vendor Product Version / Range
redhat enterprise_linux 7.0
redhat enterprise_linux 6.0
redhat openshift_container_platform 4.0
redhat enterprise_linux 9.0
samba samba From 4.1.0 (inc) to 4.21.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-78 The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Impact Analysis

This vulnerability can allow a remote attacker to execute arbitrary commands on the affected Samba server without authentication. This means the attacker could potentially take full control of the system, leading to data theft, system compromise, disruption of services, or further attacks within the network.

Executive Summary

CVE-2026-4408 is a vulnerability in Samba that allows remote command execution. It occurs when Samba file servers or classic domain controllers use the "check password script" feature configured with the %u substitution character. In this case, the client-controlled username is passed to the script without properly escaping shell meta-characters, enabling an attacker to inject and execute arbitrary commands on the affected system.

This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is running as a system service. Standard configurations and Active Directory Domain Controllers are not impacted.

Detection Guidance

This vulnerability affects Samba file servers or classic domain controllers that have the "check password script" configured with the %u substitution character and where the samba-dcerpcd service is running as a system service.

To detect if your system is vulnerable, you should check your smb.conf configuration for the presence of a "check password script" that uses the %u substitution character.

  • Run: grep -i 'check password script' /etc/samba/smb.conf
  • If found, verify if the script uses the %u substitution character.

Additionally, check if the samba-dcerpcd service is running as a system service, which is required for the vulnerability to be exploitable.

  • Run: systemctl status samba-dcerpcd

If both conditions are met, your system is likely vulnerable to this issue.

Mitigation Strategies

Immediate mitigation involves disabling or modifying the "check password script" configuration to avoid using the %u substitution character, which passes unescaped usernames to the script.

Alternatively, stop the samba-dcerpcd service if it is running as a system service, since the vulnerability requires this service to be active.

  • Edit /etc/samba/smb.conf to remove or modify the "check password script" to not use %u.
  • Run: systemctl stop samba-dcerpcd
  • Run: systemctl disable samba-dcerpcd

Apply any available patches or updates from your Samba vendor as soon as possible to fully remediate the vulnerability.

Compliance Impact

The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-4408. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart