CVE-2026-4408
CRITICAL WAF: High
CVSS 9.8
Published: 2026-05-28
CWE-78
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.
WAF Coverage Analysis
OS Command Injection
High WAF Coverage
OWASP: A03:2021 Injection
932xxx - Remote Code Execution
Affected Software
| Vendor | Product | Version |
|---|---|---|
| redhat | openshift_container_platform | 4.0 |
| samba | samba | 4.1.0 - 4.21.0 |
| redhat | enterprise_linux | 6.0 |
| redhat | enterprise_linux | 7.0 |
| redhat | enterprise_linux | 9.0 |
References
- access.redhat.com (Issue Tracking)
- access.redhat.com (Issue Tracking)
- access.redhat.com
- access.redhat.com (Third Party Advisory)
- bugzilla.redhat.com (Issue Tracking, Third Party Advisory)
- bugzilla.samba.org (Issue Tracking, Vendor Advisory)