CVE-2026-40193

Name of the Vulnerable Software and Affected Versions maddy versions prior to 0.9.3

Description The auth.ldap module fails to escape user-supplied usernames when interpolating them into LDAP search filters and DN strings via the strings.ReplaceAll() function. This occurs within the Lookup() and AuthPlain() functions. An attacker with network access to the SMTP submission or IMAP interface can inject arbitrary LDAP filter expressions through the username field in AUTH PLAIN or LOGIN commands. This can lead to identity spoofing by manipulating filter results to authenticate as another user, LDAP directory enumeration using wildcard filters, and blind extraction of LDAP attribute values. The extraction is possible by using authentication responses as a boolean oracle or by leveraging timing side-channels between different failure paths.

Recommendations Update to version 0.9.3.