Maddy Mail Server Hit by Critical LDAP Injection Flaw

The National Vulnerability Database (NVD) recently detailed CVE-2026-40193, a high-severity LDAP injection vulnerability impacting maddy mail server versions prior to 0.9.3. Maddy, known for its composable, all-in-one mail server capabilities, unfortunately overlooked proper LDAP filter escaping in its auth.ldap module. This oversight allows user-supplied usernames to be directly interpolated into LDAP search filters and DN strings without sanitization, despite the go-ldap/ldap/v3 library’s ldap.EscapeFilter() function being readily available.

This flaw manifests in three key areas: the Lookup() filter, and both the DN template and filter used by AuthPlain(). An attacker with network access to either the SMTP submission or IMAP interface can exploit this by injecting arbitrary LDAP filter expressions through the username field during AUTH PLAIN or LOGIN commands. The implications are severe: identity spoofing by manipulating filter results to authenticate as another user, enumeration of LDAP directories using wildcard filters, and even blind extraction of LDAP attribute values. This can be achieved by leveraging authentication responses as a boolean oracle or by exploiting timing side-channels between distinct failure paths. The NVD assigns this a CVSS score of 8.2 (HIGH), categorizing it under CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query (‘LDAP Injection’)).

The good news is that maddy has addressed this critical vulnerability in version 0.9.3. If you’re running an older iteration, it’s time to get patching.