CVE-2026-40606

Source
https://cve.org/CVERecord?id=CVE-2026-40606
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40606.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-40606
Aliases
Downstream
Related
Published
2026-04-21T17:43:21.041Z
Modified
2026-07-08T08:13:12.515842610Z
Severity
  • 4.8 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
Summary
ProxyAuth Addon LDAP Injection in mitmproxy
Details

mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. Only mitmproxy instances using the proxyauth option with LDAP are affected. This option is not enabled by default. The vulnerability has been fixed in mitmproxy 12.2.2 and above.

Database specific
{
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/40xxx/CVE-2026-40606.json",
    "cna_assigner": "GitHub_M",
    "cwe_ids": [
        "CWE-90"
    ]
}
References

Affected packages

Git / github.com/mitmproxy/mitmproxy

Affected ranges

Type
GIT
Repo
https://github.com/mitmproxy/mitmproxy
Events
Introduced
0 Unknown introduced commit / All previous commits are affected
Fixed
Database specific
{
    "source": [
        "AFFECTED_FIELD",
        "CPE_RANGE"
    ],
    "cpe": "cpe:2.3:a:mitmproxy:mitmproxy:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "12.2.2"
        }
    ]
}

Affected versions

10.*
10.0.0
10.1.0
10.1.1
10.1.2
10.1.3
10.1.4
10.1.5
10.1.6
10.2.0
10.2.1
10.2.2
10.2.3
10.2.4
10.3.0
9.*
9.0.0
9.0.1
v0.*
v0.11.1
v0.11.3
v0.12
v0.12.1
v0.13
v0.14
v0.15
v0.16
v0.17
v0.18
v0.18.1
v0.4
v0.5
v0.6
v0.7
v0.8
v0.9
v1.*
v1.0
v1.0.1
v10.*
v10.0.0
v10.1.0
v10.1.1
v10.1.2
v10.1.3
v10.1.4
v10.1.5
v10.1.6
v10.2.0
v10.2.1
v10.2.2
v10.2.3
v10.2.4
v10.3.0
v10.3.1
v10.4.0
v10.4.1
v10.4.2
v11.*
v11.0.0
v11.0.1
v11.0.2
v11.1.0
v11.1.1
v11.1.2
v11.1.3
v12.*
v12.0.0
v12.0.1
v12.1.0
v12.1.1
v12.1.2
v12.2.0
v12.2.1
v2.*
v2.0.0
v3.*
v3.0.0
v3.0.0rc1
v3.0.0rc2
v3.0.1
v4.*
v4.0.0
v5.*
v5.0.0
v5.1.0
v5.1.1
v5.2
v5.3.0
v6.*
v6.0.0
v7.*
v7.0.0
v7.0.1
v7.0.2
v8.*
v8.0.0
v8.1.0
v8.1.1
v9.*
v9.0.0
v9.0.1

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-40606.json"