CVE-2026-14474
Received Received - Intake

SSSD LDAP sudo provider privilege escalation vulnerability

Vulnerability report for CVE-2026-14474, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Red Hat, Inc.

Description

A flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redhat sssd *

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-1188 The product initializes or sets a resource with a default that is intended to be changed by the product's installer, administrator, or maintainer, but the default is not secure.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows an authenticated attacker with write access to inject sudoRole objects granting root-level sudo privileges on all SSSD-enrolled hosts. This escalation of privileges can lead to unauthorized access and control over sensitive systems and data.

Such unauthorized privilege escalation and potential data exposure can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict access controls and protection of sensitive information.

Impact Analysis

If you are using SSSD with the sudo LDAP provider and have not explicitly set the ldap_sudo_search_base option, an attacker with write access to any LDAP subtree can escalate their privileges.

This means the attacker could gain root-level sudo privileges on all systems enrolled with SSSD, potentially leading to full system compromise, unauthorized access, and control over critical resources.

Detection Guidance

To detect this vulnerability, you should check the SSSD configuration for the presence and value of the ldap_sudo_search_base option. If this option is not explicitly set, the system is vulnerable because SSSD will search the entire LDAP directory tree for sudoRole objects.

You can inspect the SSSD configuration file, typically located at /etc/sssd/sssd.conf, using commands like:

  • grep -i ldap_sudo_search_base /etc/sssd/sssd.conf
  • grep -i sudo_provider /etc/sssd/sssd.conf

Additionally, verify if sudo_provider is set to ldap or ad, as these configurations are affected by the vulnerability.

To detect unauthorized sudoRole objects injected by an attacker, you may need to audit your LDAP directory for unexpected sudoRole entries, especially those granting root-level privileges.

Mitigation Strategies

The immediate mitigation step is to explicitly configure the ldap_sudo_search_base option in the SSSD configuration to limit the LDAP subtree that SSSD searches for sudoRole objects.

By setting ldap_sudo_search_base to a specific, restricted LDAP subtree, you prevent SSSD from searching the entire LDAP directory tree, thereby reducing the risk of an attacker injecting malicious sudoRole objects.

Also, review and restrict write permissions on your LDAP directory to prevent unauthorized users from creating or modifying sudoRole objects.

If your sudo_provider is set to ipa, this vulnerability does not apply, so consider using ipa if feasible.

Executive Summary

This vulnerability exists in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD performs a subtree search across the entire LDAP directory for sudoRole objects.

Because of this, an authenticated attacker who has write access to any part of the LDAP directory can inject a sudoRole object. This injected object can grant root-level sudo privileges on all hosts that use SSSD for sudo authorization.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14474. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart