CVE-2026-14474 in SSSDinfo

Summary

by MITRE • 07/07/2026

A flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts.

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Analysis

by VulDB Data Team • 07/07/2026

This vulnerability exists within the SSSD (System Security Services Daemon) LDAP sudo provider implementation where the ldap_sudo_search_base configuration option lacks proper validation and default behavior handling. The flaw stems from the default assumption that when this parameter is not explicitly defined, the system should perform a broad search across the entire LDAP directory structure rather than limiting the scope to specific organizational units. This design decision creates an inherent privilege escalation vector because any authenticated user with write permissions to any LDAP subtree can create malicious sudoRole objects that propagate across all SSSD-managed hosts within the domain. The vulnerability directly maps to CWE-264, which addresses permissions, privileges, and access controls, specifically focusing on inadequate access control mechanisms in directory services. From an operational perspective, this issue represents a critical security weakness because it allows attackers to gain root-level privileges across multiple systems without requiring direct system access or elevated credentials beyond basic LDAP authentication.

The technical exploitation of this vulnerability requires an authenticated attacker with write permissions to any LDAP subtree within the directory structure. Once such access is established, the malicious user can inject a sudoRole object that contains rules granting full administrative privileges on all hosts managed by SSSD. This privilege escalation occurs because the default search behavior extends to the entire directory tree, meaning that any newly created sudoRole object regardless of its location in the LDAP hierarchy will be discovered and processed by all SSSD clients. The operational impact is severe as this vulnerability affects the fundamental security model of Unix/Linux systems that rely on SSSD for centralized authentication and authorization management. Systems using SSSD for sudo privilege delegation become immediately compromised upon successful exploitation, potentially allowing attackers to execute arbitrary commands with root privileges across all enrolled hosts in the domain.

The attack pattern aligns with ATT&CK technique T1078 002 which covers valid accounts with administrator privileges, specifically targeting the abuse of legitimate authentication mechanisms. This vulnerability demonstrates how weak default configurations can undermine security controls and create persistent backdoors within enterprise environments. Organizations implementing SSSD for centralized management face significant risk when this configuration is left unaddressed, as it effectively eliminates the principle of least privilege in sudo role management. The recommended mitigation involves explicitly configuring the ldap_sudo_search_base parameter to limit the search scope to specific organizational units containing legitimate sudoRole objects. Additionally, implementing strict access controls and monitoring for unauthorized LDAP modifications will help detect potential exploitation attempts. Regular security audits should verify that all SSSD configurations follow security best practices and that default behaviors are overridden with appropriate restrictions. The vulnerability highlights the importance of defensive programming principles and the necessity of explicit configuration validation to prevent unintended privilege escalation scenarios in enterprise authentication systems.

This flaw represents a classic example of how insufficient input validation and overly permissive default settings can create security vulnerabilities in enterprise infrastructure components. The lack of proper bounds checking in the LDAP search functionality combined with inadequate privilege management controls creates a situation where legitimate directory services become attack vectors for privilege escalation. Organizations should implement comprehensive monitoring solutions that track LDAP directory modifications and sudo role changes to detect anomalous activities that may indicate exploitation attempts. The vulnerability also underscores the critical need for security awareness training regarding default configurations in enterprise tools, as many administrators may not realize the implications of leaving certain parameters at their default values. Proper configuration management and regular security assessments are essential to prevent such vulnerabilities from being exploited in production environments where SSSD is deployed for authentication and authorization services.

Responsible

Redhat

Reservation

07/02/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Interested in the pricing of exploits?

See the underground prices here!