Home / Vulnerability Intelligence / CVE-2026-40193

CVE-2026-40193 - Vulnerability Analysis

HighCVSS: 8.2

Last Updated: April 16, 2026

Maddy - LDAP Injection

Published: April 16, 2026Updated: April 16, 2026Remote Exploitable

Overview

Maddy < 0.9.3 contains an LDAP injection caused by improper escaping of user-supplied usernames in LDAP search filters and DN strings in auth.ldap module, letting attackers with network access to SMTP/IMAP authenticate as other users or enumerate LDAP, exploit requires network access to SMTP submission or IMAP interface.

Severity & Score

Severity: High

CVSS Score: 8.2

Impact

Attackers can spoof identities, enumerate LDAP directory, and extract LDAP attributes, potentially compromising authentication and user data.

Mitigation

Update to version 0.9.3 or later.

References

https://github.com/foxcpp/maddy/security/advisories/GHSA-5835-4gvc-32pc
https://github.com/foxcpp/maddy/commit/6a06337eb41fa87a35697366bcb71c3c962c44ba
https://github.com/foxcpp/maddy/releases/tag/v0.9.3

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40193
Severity: High
CVSS Score: 8.2
Type: ldap_injection
Status: new

CWE

CWE-90

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N