CVE-2026-40193
Published: 16 April 2026
Summary
CVE-2026-40193 is a high-severity LDAP Injection (CWE-90) vulnerability in Maddy Project Maddy. Its CVSS base score is 8.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 13.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Requires validation of user-supplied usernames before interpolation into LDAP filters and DN strings, directly preventing LDAP injection attacks.
Mandates timely identification, reporting, and correction of flaws like this unescaped LDAP input vulnerability through patching to version 0.9.3 or later.
Enables review of audit logs for anomalous authentication attempts, such as unusual usernames or patterns indicative of LDAP injection, enumeration, or spoofing.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
LDAP injection in public-facing mail server auth module directly enables T1190 for remote exploitation via SMTP/IMAP and T1087.002 for account enumeration through wildcard filters and attribute extraction.
NVD Description
maddy is a composable, all-in-one mail server. Versions prior to 0.9.3 contain an LDAP injection vulnerability in the auth.ldap module where user-supplied usernames are interpolated into LDAP search filters and DN strings via strings.ReplaceAll() without any LDAP filter escaping, despite…
more
the go-ldap/ldap/v3 library's ldap.EscapeFilter() function being available in the same import. This affects three code paths: the Lookup() filter, the AuthPlain() DN template, and the AuthPlain() filter. An attacker with network access to the SMTP submission or IMAP interface can inject arbitrary LDAP filter expressions through the username field in AUTH PLAIN or LOGIN commands. This enables identity spoofing by manipulating filter results to authenticate as another user, LDAP directory enumeration via wildcard filters, and blind extraction of LDAP attribute values using authentication responses as a boolean oracle or via timing side-channels between the two distinct failure paths. This issue has been fixed in version 0.9.3.
Deeper analysisAI
CVE-2026-40193 is an LDAP injection vulnerability (CWE-90) in the auth.ldap module of maddy, a composable all-in-one mail server. Versions prior to 0.9.3 interpolate user-supplied usernames into LDAP search filters and DN strings using strings.ReplaceAll() without LDAP filter escaping, even though the go-ldap/ldap/v3 library's ldap.EscapeFilter() function is available in the same import. The flaw affects three code paths: the Lookup() filter, the AuthPlain() DN template, and the AuthPlain() filter.
An attacker with network access to the SMTP submission or IMAP interface can exploit this vulnerability by injecting arbitrary LDAP filter expressions through the username field in AUTH PLAIN or LOGIN commands. This enables identity spoofing by manipulating filter results to authenticate as another user, LDAP directory enumeration via wildcard filters, and blind extraction of LDAP attribute values using authentication responses as a boolean oracle or timing side-channels between distinct failure paths. The vulnerability carries a CVSS v3.1 base score of 8.2 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N).
The issue was fixed in maddy version 0.9.3. Mitigation requires upgrading to this version or later. Additional details are available in the GitHub security advisory (https://github.com/foxcpp/maddy/security/advisories/GHSA-5835-4gvc-32pc), release notes (https://github.com/foxcpp/maddy/releases/tag/v0.9.3), and the patching commit (https://github.com/foxcpp/maddy/commit/6a06337eb41fa87a35697366bcb71c3c962c44ba).
Details
- CWE(s)