CVE-2026-4408
CriticalCVSS 9.0Exploitation Probability (EPSS)
High risk83th percentile — higher than 83% of all known CVEs
Summary
A flaw in Samba allows remote code execution via the "check password script" feature when %u substitution is used without proper shell escaping. An attacker can send a crafted username to execute arbitrary commands on the server.
Risk Assessment
The organization risks full remote compromise of the Samba server, potentially leading to data theft, service disruption, or further attacks on internal systems.
Recommendation
Immediately review the Samba configuration and remove %u from "check password script" or apply proper escaping. If not needed, disable the feature and ensure samba-dcerpcd is not running as a system service.
Original NVD description (English source)
A flaw was found in Samba. A remote attacker can exploit a misconfiguration in Samba file servers and classic domain controllers that use the "check password script" feature. If this script is configured with the %u substitution character, the client-controlled username is passed without proper escaping of shell meta-characters. This vulnerability allows an attacker to achieve remote command execution on the affected system. This issue primarily affects non-standard configurations where the "check password script" is used with %u and the samba-dcerpcd service is started as a system service.

