CVE-2026-14476 in Red Hatinfo

Summary

by MITRE • 07/07/2026

A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.

If you want to get best quality of vulnerability data, you may have to visit VulDB.

Analysis

by VulDB Data Team • 07/07/2026

The vulnerability under examination involves a path traversal flaw within SSSD's Active Directory Group Policy Object (GPO) provider implementation. This represents a critical security weakness that stems from inadequate input sanitization in the ad_gpo_extract_smb_components() function, which processes the gPCFileSysPath LDAP attribute. The flaw specifically targets the handling of .. sequences that can appear within this attribute, creating an opportunity for malicious path manipulation that extends beyond intended boundaries.

The technical mechanism of exploitation relies on the improper validation of directory traversal sequences within the gPCFileSysPath attribute values. When SSSD processes GPO configurations, it fails to adequately sanitize these paths before using them in file system operations, allowing attackers with AD GPO management privileges to craft malicious LDAP entries containing .. sequences. This vulnerability specifically affects the GPO cache directory structure where SSSD stores processed group policy information, enabling arbitrary file write operations outside of the designated cache boundaries.

The operational impact of this vulnerability is severe, particularly when considering that SSSD runs with root privileges during GPO processing operations. An attacker who has gained access to AD GPO management capabilities can leverage this flaw to write files anywhere within the system's filesystem hierarchy, effectively elevating their privileges to root level. The default RHEL configurations with SELinux enforcing create an additional attack surface where malicious file injection can be used to place specially crafted Kerberos configuration files in critical system locations.

This vulnerability directly maps to CWE-22 Path Traversal and aligns with ATT&CK technique T1548.003 Lateral Movement through Kerberos, as the path traversal allows for authentication bypass mechanisms. The exploitation chain begins with AD GPO management access, progresses through malicious LDAP attribute manipulation, and culminates in root privilege escalation via file system injection. The specific targeting of Kerberos configuration files represents a sophisticated attack vector that can undermine the entire authentication infrastructure.

Mitigation strategies must address both the immediate path traversal vulnerability and the broader security posture. Organizations should implement strict input validation for all LDAP attributes processed by SSSD, particularly those containing file system path information. The recommended approach includes deploying SSSD version updates that properly sanitize directory traversal sequences, implementing additional access controls to limit AD GPO management privileges, and configuring SELinux policies with stricter file system access restrictions. Additionally, monitoring for suspicious LDAP attribute values and implementing automated vulnerability scanning of GPO configurations can help detect potential exploitation attempts before they succeed.

Responsible

Redhat

Reservation

07/02/2026

Disclosure

07/07/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Do you need the next level of professionalism?

Upgrade your account now!