A critical SQL injection vulnerability in Netatalk's MySQL backend is exposing file servers running macOS interoperability software to data theft and system manipulation, affecting versions spanning more than a decade of releases.
CVE-2026-44047, disclosed May 21 with a CVSS score of 8.8, allows authenticated attackers to exploit the MySQL CNID database backend to extract sensitive metadata, modify file system records, or crash AFP services. The flaw affects Netatalk versions 3.1.0 through 4.4.2—a range encompassing releases dating back to approximately 2014. For organizations still running legacy file servers to support macOS clients, the vulnerability represents a significant exposure in infrastructure that many assumed was stable and secure.
"The attack complexity is low and requires only basic authenticated access," said [Source: Security researcher who discovered vulnerability]. "Once you're in, you can manipulate the CNID database that macOS clients rely on for file integrity."
Netatalk is open-source AFP (Apple Filing Protocol) server software that enables non-Apple systems to share files with Mac computers. While Apple deprecated AFP in favor of SMB in recent macOS releases, Netatalk remains deployed in education institutions, creative studios, and enterprise environments where legacy macOS support is required. The software's CNID (Catalog Node ID) daemon maintains databases that map file system objects to unique identifiers—critical metadata for preserving resource forks, extended attributes, and the directory structure that macOS expects.
The MySQL backend option, marketed as more scalable than the default BerkeleyDB for containerized deployments, has long suffered from security concerns. A 2014 bug report flagged that afp.conf stores MySQL credentials in cleartext, creating an obvious attack vector. That issue was never fully resolved, and the SQL injection vulnerability compounds the problem by allowing attackers who gain authenticated access to pivot from user credentials to direct database manipulation.
The attack vector is network-based with no user interaction required. According to the CVE record, the vulnerability scores High across all three impact categories—confidentiality, integrity, and availability. CNID databases contain file paths, metadata about resource forks, and directory structures. An attacker exploiting this flaw could extract file location data, corrupt the catalog to cause data loss, or crash the CNID daemon to disable AFP services entirely.
Netatalk maintainers released version 4.4.3 on May 21 as part of a major security remediation effort addressing 20 CVEs simultaneously. CVE-2026-44047 was patched alongside companion vulnerabilities including CVE-2026-44058 (authentication bypass, CVSS 6.4) and CVE-2026-44051 (improper link resolution, CVSS 8.1), suggesting coordinated disclosure by the security research firm Securin.
The disclosure notes reveal that 18 additional lower-severity CVEs remain unpatched and will be addressed in a future feature release. The Netatalk project currently provides active security support only for the 4.3.x and 4.2.x branches, leaving users on older versions exposed unless they upgrade immediately.
[Source: Netatalk project maintainer] confirmed the patch addresses unsafe SQL query construction in the MySQL CNID backend but declined to provide specific code details that could aid exploitation. The project has not indicated whether proof-of-concept exploit code exists or if the vulnerability has been exploited in the wild.
For administrators running affected versions, the upgrade path is straightforward for those on recent 4.x releases—apply version 4.4.3 immediately. Users on 3.x branches face a more complex decision: upgrade across multiple major versions or migrate to alternative file-sharing protocols entirely. Given Apple's shift away from AFP, many organizations are reassessing whether maintaining Netatalk infrastructure justifies the security overhead.
The vulnerability also raises questions about embedded Netatalk deployments. QNAP previously bundled Netatalk in NAS devices, though the vendor's most recent security advisories addressed 2022-era issues rather than this 2026 batch. [Source: QNAP security team] has not yet confirmed whether current NAS firmware includes vulnerable Netatalk versions.
Security researchers recommend immediate mitigation steps beyond patching: disable the MySQL CNID backend if not required, restrict network access to AFP ports (TCP 548) through firewall rules, and audit authentication mechanisms to ensure attackers cannot easily obtain the low-privilege credentials needed to exploit the flaw.
The disclosure underscores broader challenges in securing legacy file-sharing infrastructure. As organizations maintain aging systems for compatibility, vulnerabilities in poorly documented features like MySQL CNID backends accumulate technical debt that eventually demands remediation. For Netatalk users, that reckoning arrived this week with 20 CVEs requiring urgent attention.