CVE-2026-4408
Remote Command Execution in Samba via Check Password Script Misconfiguration
Publication date: 2026-05-28
Last updated on: 2026-05-28
Assigner: Red Hat, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| samba | samba | From 2026-05-19 (inc) to 2026-05-26 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
How can this vulnerability impact me? :
This vulnerability can allow a remote attacker to execute arbitrary commands on the affected Samba server without authentication. This means the attacker could potentially take full control of the system, leading to data theft, system compromise, disruption of services, or further attacks within the network.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The provided information does not specify how this vulnerability affects compliance with common standards and regulations such as GDPR or HIPAA.
Can you explain this vulnerability to me?
CVE-2026-4408 is a vulnerability in Samba that allows remote command execution. It occurs when Samba file servers or classic domain controllers use the "check password script" feature configured with the %u substitution character. In this case, the client-controlled username is passed to the script without properly escaping shell meta-characters, enabling an attacker to inject and execute arbitrary commands on the affected system.
This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is running as a system service. Standard configurations and Active Directory Domain Controllers are not impacted.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability affects Samba file servers or classic domain controllers that have the "check password script" configured with the %u substitution character and where the samba-dcerpcd service is running as a system service.
To detect if your system is vulnerable, you should check your smb.conf configuration for the presence of a "check password script" that uses the %u substitution character.
- Run: grep -i 'check password script' /etc/samba/smb.conf
- If found, verify if the script uses the %u substitution character.
Additionally, check if the samba-dcerpcd service is running as a system service, which is required for the vulnerability to be exploitable.
- Run: systemctl status samba-dcerpcd
If both conditions are met, your system is likely vulnerable to this issue.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation involves disabling or modifying the "check password script" configuration to avoid using the %u substitution character, which passes unescaped usernames to the script.
Alternatively, stop the samba-dcerpcd service if it is running as a system service, since the vulnerability requires this service to be active.
- Edit /etc/samba/smb.conf to remove or modify the "check password script" to not use %u.
- Run: systemctl stop samba-dcerpcd
- Run: systemctl disable samba-dcerpcd
Apply any available patches or updates from your Samba vendor as soon as possible to fully remediate the vulnerability.