CVE-2026-40193: Maddy Mail Server has an LDAP Filter Injection via Unsanitized Username

April 13, 2026 (updated April 16, 2026)

The auth.ldap module constructs LDAP search filters and DN strings by directly interpolating user-supplied usernames via strings.ReplaceAll() without any LDAP filter escaping. An attacker who can reach the SMTP submission (AUTH PLAIN) or IMAP LOGIN interface can inject arbitrary LDAP filter expressions through the username field, enabling identity spoofing, LDAP directory enumeration, and attribute value extraction. The go-ldap/ldap/v3 library—already imported in the same file—provides ldap.EscapeFilter() specifically for this purpose, but it is never called.

References

github.com/advisories/GHSA-5835-4gvc-32pc
github.com/foxcpp/maddy
github.com/foxcpp/maddy/commit/6a06337eb41fa87a35697366bcb71c3c962c44ba
github.com/foxcpp/maddy/releases/tag/v0.9.3
github.com/foxcpp/maddy/security/advisories/GHSA-5835-4gvc-32pc
nvd.nist.gov/vuln/detail/CVE-2026-40193

Code Behaviors & Features

Detect and mitigate CVE-2026-40193 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →