Download of code without integrity check in Netatalk - #VU132263
Published: May 25, 2026
Vulnerability identifier: #VU132263
CSH Severity: Low
CVSS v4.0: CVSS:4.0/AV:N/AC:L/AT:P/PR:H/UI:N/VC:N/VI:L/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: N/A
CWE-ID: CWE-494
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vendor: Netatalk
Affected software:
Netatalk
Netatalk
Detailed vulnerability description
The vulnerability allows a remote user to execute arbitrary code.
The vulnerability exists due to download of code without integrity check in the NetBSD CI workflow build-netbsd job when installing build dependencies from a plaintext HTTP pkgsrc mirror. A remote privileged user can substitute malicious packages on the network path to execute arbitrary code.
This affects the CI runner environment only and no path to release artifacts or repository writes was identified.
Remediation
Install security update from vendor's website.