CVE-2026-14476
Received Received - Intake

Path Traversal in SSSD AD GPO Provider

Vulnerability report for CVE-2026-14476, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-07

Last updated on: 2026-07-07

Assigner: Red Hat, Inc.

Description

A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-07
Last Modified
2026-07-07
Generated
2026-07-07
AI Q&A
2026-07-07
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
redhat sssd From 2026-07-02 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-23 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker with AD GPO management access to write files as root outside the intended directory, potentially leading to authentication bypass via Kerberos configuration injection.

Such unauthorized access and authentication bypass could lead to violations of security controls required by common standards and regulations like GDPR and HIPAA, which mandate strict access controls and protection of sensitive data.

Therefore, exploitation of this vulnerability could compromise the confidentiality, integrity, and availability of systems and data, impacting compliance with these regulations.

Executive Summary

CVE-2026-14476 is a path traversal vulnerability in the SSSD's Active Directory Group Policy Object (AD GPO) provider. Specifically, the function ad_gpo_extract_smb_components() does not properly sanitize ".." sequences in the gPCFileSysPath LDAP attribute. This allows an attacker with AD GPO management access to write files outside the intended GPO cache directory with root privileges.

The vulnerability arises because the function converts backslashes to forward slashes but fails to properly handle path components, leading to a mismatch between libsmbclient's path clamping and the kernel's path resolution. On systems with SELinux enforcing (default on RHEL), this can be exploited to inject Kerberos configuration files, enabling authentication bypass.

Impact Analysis

This vulnerability can have serious impacts including allowing an attacker with AD GPO management access to write arbitrary files as root outside the intended directory.

  • On systems with SELinux enforcing mode, it can be used to inject malicious Kerberos configuration files, leading to Kerberos Key Distribution Center (KDC) redirection and authentication bypass.
  • On systems with SELinux permissive mode or disabled, it allows arbitrary file writes as root, potentially leading to full system compromise.
Detection Guidance

Detection of CVE-2026-14476 involves monitoring for unauthorized or unexpected file writes outside the GPO cache directory, especially in the /var/lib/sss/pubconf/krb5.include.d/ directory on systems with SELinux enforcing mode.

Since the vulnerability exploits path traversal in the ad_gpo_extract_smb_components() function related to the gPCFileSysPath LDAP attribute, reviewing AD GPO management logs for suspicious modifications or unusual LDAP attribute values containing '..' sequences can help detect exploitation attempts.

Specific commands are not provided in the available resources, but general approaches include:

  • Checking for unexpected files or changes in /var/lib/sss/pubconf/krb5.include.d/ with commands like: ls -l /var/lib/sss/pubconf/krb5.include.d/
  • Using audit tools to monitor file writes by the sssd process or root user in the affected directories.
  • Reviewing SELinux audit logs for denials or unusual access patterns related to sssd_public_t labeled files.
Mitigation Strategies

Immediate mitigation steps include restricting AD GPO management access to trusted administrators only, as the vulnerability requires such access to exploit.

Ensure SELinux is enabled and enforcing on affected systems, as this limits the impact by confining the exploit to specific directories and preventing arbitrary file writes.

Monitor and audit the gPCFileSysPath LDAP attribute values for suspicious '..' sequences and unauthorized changes.

Apply any available patches or updates from the vendor (Red Hat) addressing this vulnerability as soon as they are released.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-14476. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart