{"id":"CVE-2026-4408","summary":"Samba: remote code execution in samr","details":"A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the \"check password script\" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the \"check password script\" is used with %u and the samba-dcerpcd service is started as a system service.","modified":"2026-06-11T04:01:45.370612323Z","published":"2026-05-28T07:25:27.169Z","related":["ALSA-2026:22644","ALSA-2026:22963","SUSE-SU-2026:2071-1","SUSE-SU-2026:2072-1","SUSE-SU-2026:2073-1","SUSE-SU-2026:2074-1","SUSE-SU-2026:2076-1","SUSE-SU-2026:2108-1","SUSE-SU-2026:22045-1","openSUSE-SU-2026:10884-1","openSUSE-SU-2026:20905-1"],"database_specific":{"cna_assigner":"redhat","osv_generated_from":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4408.json","cwe_ids":["CWE-78"]},"references":[{"type":"WEB","url":"https://access.redhat.com/downloads/content/package-browser/"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22644"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:22963"},{"type":"ADVISORY","url":"https://access.redhat.com/errata/RHSA-2026:25049"},{"type":"ADVISORY","url":"https://access.redhat.com/security/cve/CVE-2026-4408"},{"type":"ADVISORY","url":"https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/4xxx/CVE-2026-4408.json"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-4408"},{"type":"REPORT","url":"https://bugzilla.redhat.com/show_bug.cgi?id=2479762"},{"type":"REPORT","url":"https://bugzilla.samba.org/show_bug.cgi?id=16034"}],"affected":[{"ranges":[{"type":"GIT","repo":"https://github.com/samba-team/samba","events":[{"introduced":"a6fb418be7adccdd583a3b489b58023cfdd392ef"},{"fixed":"1c7d4b5b388ae2647732ed54834d5547a8c1357a"}],"database_specific":{"source":"CPE_RANGE","cpe":"cpe:2.3:a:samba:samba:*:*:*:*:*:*:*:*","extracted_events":[{"introduced":"4.1.0"},{"fixed":"4.21.0"}]}}],"database_specific":{"source":"https://storage.googleapis.com/osv-test-cve-osv-conversion/osv-output/CVE-2026-4408.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H"}]}