A critical command injection flaw in Samba's "check password script" feature allows remote attackers to execute arbitrary commands on affected file servers and classic domain controllers when the script is configured with the %u substitution character.
What Is It
CVE-2026-4408 is a CWE-78 OS command injection vulnerability in Samba. When the "check password script" option is configured with the %u substitution, Samba passes the client-controlled username into a shell command without escaping shell meta-characters. An unauthenticated remote attacker can craft a username containing shell metacharacters to achieve remote command execution on the underlying host.
The vulnerability carries a CVSS 3.1 base score of 9.0 (CRITICAL) with vector AV:N/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:H, network-reachable, no privileges or user interaction required, with a changed scope and high impact across confidentiality, integrity, and availability.
Why It Matters
Samba underpins file sharing and legacy domain controller deployments across Linux and Unix environments. Because exploitation requires no authentication and no user interaction, any exposed Samba instance running a vulnerable configuration is at risk of full host compromise. The scope-changed CVSS rating reflects the ability to break out of the Samba service context and impact the broader system. The supplied source material does not indicate confirmed in-the-wild exploitation; this CVE is not listed in the supplied CISA KEV data.
What's Vulnerable
The flaw primarily affects non-standard configurations of Samba where both of the following are true:
- The
check password scriptoption is configured and uses the%usubstitution character. - The
samba-dcerpcdservice is started as a system service.
Affected deployments include Samba file servers and classic domain controllers using this configuration. Default Samba installations that do not enable check password script with %u are not exposed by this issue.
Patch Status
NVD lists the CVE as "Awaiting Analysis" as of publication (2026-05-28). The supplied references point to Red Hat and upstream Samba tracking entries for remediation details. Administrators running the at-risk configuration should monitor the upstream Samba advisory and Red Hat tracker for fixed package versions, and as a mitigation either remove the %u substitution from check password script or disable the script until a patched build is deployed.