Password Hashing Flaw in 389 Directory Server by Red Hat
CVE-2026-11790

4.9MEDIUM

Key Information:

Vendor: Red Hat
Status: Red Hat Directory Server 11; Red Hat Directory Server 12; Red Hat Directory Server 13; Red Hat Enterprise Linux 10
Vendor: CVE Published:; 9 June 2026

What is CVE-2026-11790?

A vulnerability has been identified in Red Hat's 389 Directory Server, specifically within the PBKDF2-SHA256 password storage plugin. This flaw allows a privileged attacker to modify user password hashes, failing to enforce an upper limit on the iteration count used during authentication. As a result, this can lead to excessive CPU usage, potentially causing a denial of service that disrupts access for legitimate users.