CVE-2026-40606— ProxyAuth Addon LDAP Injection in mitmproxy
Get alerts for future matching vulnerabilitiesLog in to subscribe
I. Basic Information for CVE-2026-40606
Vulnerability Information
Have questions about the vulnerability? See if Shenlong's analysis helps!
View Shenlong Deep Dive ↗ Although we use advanced large model technology, its output may still contain inaccurate or outdated information.Shenlong tries to ensure data accuracy, but please verify and judge based on the actual situation.
Vulnerability Title
ProxyAuth Addon LDAP Injection in mitmproxy
Source: NVD (National Vulnerability Database)
Vulnerability Description
mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. Only mitmproxy instances using the proxyauth option with LDAP are affected. This option is not enabled by default. The vulnerability has been fixed in mitmproxy 12.2.2 and above.
Source: NVD (National Vulnerability Database)
CVSS Information
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N
Source: NVD (National Vulnerability Database)
Vulnerability Type
LDAP查询中使用的特殊元素转义处理不恰当(LDAP注入)
Source: NVD (National Vulnerability Database)
Vulnerability Title
mitmproxy 注入漏洞
Source: CNNVD (China National Vulnerability Database)
Vulnerability Description
mitmproxy是mitmproxy开源的一个交互式的、支持 SSL/TLS 的拦截代理,带有用于 HTTP/1、HTTP/2 和 WebSockets 的控制台界面。 mitmproxy 12.2.1及之前版本存在注入漏洞,该漏洞源于LDAP代理身份验证未正确清理用户名,可能导致恶意客户端绕过身份验证。
Source: CNNVD (China National Vulnerability Database)
CVSS Information
N/A
Source: CNNVD (China National Vulnerability Database)
Vulnerability Type
N/A
Source: CNNVD (China National Vulnerability Database)
Affected Products
II. Public POCs for CVE-2026-40606
| # | POC Description | Source Link | Shenlong Link |
|---|
AI-Generated POCPremium
No public POC found.
Login to generate AI POCIII. Intelligence Information for CVE-2026-40606
请登录查看更多情报信息。
IV. Related Vulnerabilities
Same vendor: mitmproxy
Same weakness: CWE-90
- CVE-2026-40459
LDAP Injection in PAC4J - CVE-2026-40193
Maddy Mail Server: LDAP Filter Injection via Unsanitized Use - CVE-2026-0636
LDAP Injection Vulnerability in LDAPStoreHelper.java - CVE-2026-39962
LDAP injection in MISP ApacheAuthenticate when using a user- - CVE-2026-34578
OPNsense has an LDAP Injection via Unsanitized Username in A
V. Comments for CVE-2026-40606
No comments yet