CVE-2026-44053: Netatalk dhcast128 Weak Crypto Exposes File Shares
The National Vulnerability Database has disclosed CVE-2026-44053, a high-severity vulnerability (CVSS 7.4) affecting Netatalk versions 1.5.0 through 4.2.2. The flaw stems from weak cryptography implemented in the dhcast128 authentication module (UAM). This weakness, categorized as CWE-327, could allow an unauthenticated attacker to compromise sensitive data.
Netatalk is an open-source implementation of the Apple Filing Protocol (AFP), allowing Unix-like systems to serve files to macOS clients. The dhcast128 UAM is used for user authentication, and its cryptographic deficiencies mean that credentials or session data could be intercepted and decrypted by an attacker on the network. The National Vulnerability Database indicates that an attacker requires low attack complexity and no user interaction, making this a straightforward vector for compromise.
Organizations running affected Netatalk versions are at significant risk of unauthorized access to shared files and potential lateral movement within their networks. The vulnerability has been addressed in Netatalk version 4.5.0. Defenders must prioritize patching to mitigate this clear and present danger.
What This Means For You
- If your organization relies on Netatalk for file sharing, you need to immediately identify all instances running versions 1.5.0 through 4.2.2. Prioritize upgrading to Netatalk 4.5.0 or later. This isn't just about data confidentiality; weak authentication can be a gateway to full system compromise. Don't assume your network perimeter is enough to protect against this.
Related ATT&CK Techniques
🛡️ Detection Rules
3 rules · 6 SIEM formats3 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-44053: Netatalk dhcast128 Weak Crypto File Share Access
title: CVE-2026-44053: Netatalk dhcast128 Weak Crypto File Share Access
id: scw-2026-05-21-ai-1
status: experimental
level: high
description: |
Detects potential exploitation of CVE-2026-44053 by identifying Netatalk processes attempting to access file shares using weak cryptography (dhcast128 uam) via guest accounts and specific AppleDouble directory access patterns. This indicates an attempt to leverage the vulnerability for unauthorized file share access.
author: SCW Feed Engine (AI-generated)
date: 2026-05-21
references:
- https://shimiscyberworld.com/posts/nvd-CVE-2026-44053/
tags:
- attack.initial_access
- attack.t1190
logsource:
category: authentication
detection:
selection:
Image|contains:
- 'netatalk'
User|contains:
- 'guest'
cs-uri|contains:
- '/.AppleDouble/'
condition: selection
falsepositives:
- Legitimate administrative activity
Source: Shimi's Cyber World · License & reuse
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-44053 | Cryptographic Failure | Netatalk versions 1.5.0 through 4.2.2 |
| CVE-2026-44053 | Cryptographic Failure | dhcast128 uam in Netatalk |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | May 21, 2026 at 11:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related coverage
CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause
CVE-2026-42396 — Insufficient Validation of Member Zone Data May Cause Catalog Zone Transfer to Fail
CVE-2026-42002 — Concurrency and locking defects in
CVE-2026-42002 — Concurrency and locking defects in GSS-TSIG
CVE-2026-42001: Autoprimary SOA Queries Vulnerability
CVE-2026-42001 — Insufficient Validation of Autoprimary SOA Queries