Primary

Context

Netatalk Shell Injection Vulnerability via Volume Path

Vulnerability

Patched

A shell injection vulnerability has been identified in Netatalk versions 3.1.0 prior to 4.4.2. The issue arises because administrator-configured volume paths are embedded in shell commands without proper handling of quoting, potentially allowing command execution during service startup or reconfiguration. This vulnerability is not remotely exploitable through the Apple Filing Protocol (AFP) alone.

Impact

Exploitation of this vulnerability could lead to arbitrary command execution on the server where Netatalk is running.

Remediation

Users can upgrade to Netatalk version 4.4.3 or later, which includes the necessary patch. Alternatively, the patch can be applied to a Netatalk 4.4.2 source tree. Netatalk administrators are advised to restrict write access to configuration files and avoid using paths with shell metacharacters until the vulnerability is patched.

Added: May 21, 2026, 8:24 AM

Updated: May 21, 2026, 8:24 AM

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

10.0

exploitability

3.0

remediation

7.9

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

4.5

impact

10.0

exploitability

3.0

remediation

7.9

relevance

9.0

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Netatalk Shell Injection Vulnerability via Volume Path

Vulnerability

Impact

Remediation

Affected Products

Netatalk

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating