LDAP Injection Vulnerability in Maddy Mail Server by Foxcpp
CVE-2026-40193

8.2HIGH

Key Information:

Vendor

Foxcpp

Status
Maddy
Vendor
CVE Published:
15 April 2026

What is CVE-2026-40193?

Maddy, a versatile all-in-one mail server developed by Foxcpp, is susceptible to an LDAP injection vulnerability present in its auth.ldap module in versions prior to 0.9.3. This flaw allows attackers to submit malicious LDAP filter expressions through the username field during authentication processes. It affects the Lookup() filter, the AuthPlain() DN template, and the AuthPlain() filter, enabling unauthorized users to impersonate legitimate accounts, enumerate directory information, and extract sensitive LDAP attributes by exploiting timing discrepancies and boolean oracle responses. The vulnerability has been addressed in version 0.9.3.

Affected Version(s)

maddy < 0.9.3

References

https://github.com/foxcpp/maddy/security/advisories/GHSA-...
x_refsource_CONFIRM
https://github.com/foxcpp/maddy/commit/6a06337eb41fa87a35...
x_refsource_MISC
https://github.com/foxcpp/maddy/releases/tag/v0.9.3
x_refsource_MISC

CVSS V3.1

Score:
8.2
Severity:
HIGH
Confidentiality:
High
Integrity:
Low
Availability:
High
Attack Vector:
Network
Attack Complexity:
Low
Privileges Required:
None
User Interaction:
None
Scope:
Unchanged

Timeline

  • Vulnerability published

  • Vulnerability Reserved

.