CVE-2026-4408: Samba Check Password Script Remote Command Execution
Samba file servers and domain controllers are vulnerable to remote command execution when administrators configure the optional "check password script" feature with the %u substitution character. This combination allows attackers to inject shell commands through usernames during authentication, running arbitrary code on the server. The vulnerability requires a specific (non-standard) configuration to be present, but when it is, the attack can be executed over the network without authentication or user interaction.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 9.0 CRITICAL · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-78
- Affected products
- 5 configuration(s)
- Published / Modified
- 2026-05-28 / 2026-07-03
NVD description (verbatim)
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.
34 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-4408 is a shell metacharacter injection flaw in Samba's check password script handler. When the check password script feature is enabled with %u substitution, Samba passes the client-supplied username directly to the shell without sanitizing shell metacharacters. An unauthenticated remote attacker can craft a malicious username containing shell operators (pipes, command substitution, redirects, etc.) that execute arbitrary commands in the context of the samba-dcerpcd service. The CVSS 3.1 score of 9.0 (CRITICAL) reflects network accessibility, high impact across confidentiality, integrity, and availability, though exploitation requires the specific script configuration and service architecture to be in place.
Business impact
This vulnerability poses severe risk to organizations using Samba-based file services or acting as domain controllers, particularly in hybrid or legacy environments. Successful exploitation enables attackers to gain command execution on identity and file infrastructure, potentially leading to lateral movement, data exfiltration, ransomware deployment, or disruption of authentication services. The blast radius depends on service privileges and network exposure; systems running samba-dcerpcd as a system service are at heightened risk. Organizations relying on Samba for compliance-sensitive functions (HIPAA, PCI-DSS, SOX) face compounded operational and regulatory consequences.
Affected systems
Red Hat Enterprise Linux (multiple versions), Red Hat OpenShift Container Platform, and Samba installations are affected. The vulnerability is specific to deployments where: (1) check password script is configured, (2) %u substitution is used in the script configuration, and (3) samba-dcerpcd runs as a system service. Standard default Samba configurations are not affected. Organizations should audit their Samba configurations to identify if check password script is in use and how it handles username substitution.
Exploitability
The vulnerability has a CVSS access complexity rating of High, meaning exploitation is not trivial; attackers must identify systems with the specific configuration and craft appropriate shell metacharacter payloads. However, once a vulnerable configuration is confirmed, the attack is reliable and requires no credentials or user interaction. The attack surface is network-wide for any exposed Samba service. There is currently no evidence of active exploitation in the wild (KEV status: not listed).
Remediation
Organizations must remediate by upgrading Samba to a patched version; verify the specific version numbers in Red Hat and Samba security advisories. For environments unable to patch immediately, disable or reconfigure the check password script feature, remove %u substitution from any active scripts, or restrict network access to Samba services via firewall rules. Review samba-dcerpcd service configuration to ensure it runs with minimal necessary privileges and not as root where possible.
Patch guidance
Apply security updates from Red Hat (RHEL versions) and Samba project as they become available. Consult official Red Hat Security Advisories and Samba release notes for specific CVE-2026-4408 patch versions and upgrade paths for your deployed version. Test patches in a non-production environment first, given the critical nature of file and authentication infrastructure. Organizations on OpenShift Container Platform should watch for container image updates that include patched Samba binaries.
Detection guidance
Monitor samba-dcerpcd process execution logs and system call traces for unusual child process spawning or shell invocations (e.g., /bin/bash, /bin/sh) originating from the Samba service. Audit authentication logs for suspicious username patterns containing shell metacharacters (backticks, $(), |, &, ;, etc.). Configure SIEM rules to alert on check password script invocations that fail or produce unexpected exit codes. Network-level detection is difficult without payload inspection, but behavioral anomalies (file system changes, outbound connections from Samba process) may signal post-exploitation activity.
Why prioritize this
This vulnerability merits immediate prioritization due to its CRITICAL severity score, network exploitability without authentication, and potential for complete system compromise. While exploitation requires a non-standard configuration, the consequence—direct command execution on identity and file infrastructure—is extreme. Any organization confirming the vulnerable configuration should treat this as urgent. Even those on default configs should verify their Samba deployment does not inadvertently use check password script.
Risk score, explained
The CVSS 3.1 score of 9.0 reflects: Network vector (remote attack), High complexity (requires specific config), no privilege or user interaction required, and confidentiality/integrity/availability impact rated as High. The score is tempered slightly by configuration-specificity (AC:H), but the overall severity remains CRITICAL because the impact—complete system compromise—is maximal when conditions align.
Frequently asked questions
Does this affect standard Samba installations?
No. The vulnerability requires the optional "check password script" feature to be configured with %u substitution. Default Samba deployments do not use this feature and are not vulnerable. Check your smb.conf for any "check password script" directives to confirm your exposure.
Can this be exploited without network access to the Samba service?
No. The vulnerability is remote but requires the attacker to reach the Samba authentication interface (typically SMB port 445 or DCE-RPC ports). Internal network segmentation and firewall rules limiting Samba access reduce exploitability.
What should we do if we rely on check password script for custom authentication?
Upgrade Samba immediately once patches are available. In the interim, reconfigure the script to avoid %u substitution or use alternative username handling methods (e.g., pass fixed parameters and avoid shell injection surface). Consider using Samba's native LDAP or Kerberos integration instead.
Is this vulnerability being actively exploited?
No. As of the last update, this vulnerability has not been added to CISA's Known Exploited Vulnerabilities catalog, and no public exploit code has been disclosed. However, given the simplicity of the attack once a vulnerable config is found, proactive patching is strongly recommended.
This analysis is based on publicly available vulnerability data as of the publication date. Specific patch versions, affected version ranges, and vendor guidance should be verified directly with Red Hat Security Advisories, Samba security announcements, and official vendor documentation. This assessment does not constitute professional security advice and should be reviewed in the context of your organization's specific deployment and risk profile. Always test patches in non-production environments before production deployment. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2025-41265HIGHWaterfall WF-500 TX Host OS Command Injection (CVSS 7.2)
- CVE-2025-41266HIGHWaterfall WF-500 TX Host Command Injection Vulnerability Analysis
- CVE-2025-41267HIGHWaterfall WF-500 TX Host Command Injection Vulnerability
- CVE-2025-41279HIGHOS Command Injection in Waterfall WF-500 RX Host Administration WebUI
- CVE-2025-41281HIGHWaterfall WF-500 OS Command Injection
- CVE-2025-69755HIGHNeterbit NW-431F Router RCE and Data Exposure Vulnerability
- CVE-2026-10214HIGHCommand Injection in chatgpt-on-wechat Bash Tool
- CVE-2026-10219HIGHGoClaw Command Injection Vulnerability
Preview — this page is review (quality 0.975). high-value: hold for review.