CVE-2026-11790
MediumCVSS 4.9Exploitation Probability (EPSS)
Low risk26th percentile - higher than 26% of all known CVEs
Summary
A flaw was found in 389 Directory Server where the PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.
Risk Assessment
The risk is a potential denial of service attack through password manipulation, which can disrupt directory services and impact system availability for other users.
Recommendation
It is recommended to immediately update 389 Directory Server to a version that introduces an upper bound on PBKDF2-SHA256 iteration count. If an update is not possible, restrict password modification access to trusted administrators only.
Original NVD description (English source)
A flaw was found in 389 Directory Server. The PBKDF2-SHA256 password storage plugin does not enforce an upper bound on the iteration count extracted from stored password hashes. A privileged attacker who can modify a user's password hash can cause excessive CPU consumption during authentication, resulting in denial of service.

