Netatalk CVE-2026-44055: Shell Injection Vulnerability Disclosed

A critical shell injection vulnerability, CVE-2026-44055, has been identified in Netatalk versions 3.1.4 through 4.4.2. The National Vulnerability Database (NVD) reports this flaw stems from a bitwise OR logic bug, allowing for shell injection. This is a significant issue, as shell injection provides attackers direct command execution capabilities on affected systems, potentially leading to full system compromise.

The vulnerability is classified with a CVSS v3.1 score of 7.5 (HIGH severity), indicating a substantial risk. The CVSS vector CVSS:3.1/AV:N/AC:H/PR:L/UI:N/S:U/C:H/I:H/A:H highlights that this is a network-exploitable flaw with high impact on confidentiality, integrity, and availability, requiring low privileges and complex attack conditions. The underlying weakness is categorized as CWE-78, Improper Neutralization of Special Elements used in an OS Command (‘OS Command Injection’).

Defenders must prioritize patching. Netatalk 4.4.3 contains the fix for CVE-2026-44055. Any organization running vulnerable versions should immediately upgrade to mitigate the risk of remote code execution. Attackers will undoubtedly be looking for unpatched instances, as the potential for system control is high.