Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
4.8
mitmproxy - Malicious Usernames Can Bypass LDAP Authentication
GHSA-527g-3w9m-29hv
CVE-2026-40606
Summary
Mitmproxy's built-in LDAP proxy authentication is vulnerable to a security risk. If an attacker uses a special kind of username, they can bypass the authentication process. This only affects users who have enabled LDAP proxy authentication in their mitmproxy setup, which is not enabled by default. To stay secure, update to the latest version of mitmproxy, which has already fixed this issue.
What to do
- Update mitmproxy to version 12.2.2.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| pip | – | mitmproxy |
<= 12.2.1 Fix: upgrade to 12.2.2
|
Original title
mitmproxy has an LDAP Injection
Original description
### Impact
In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication.
Only mitmproxy instances using the `proxyauth` option with LDAP are affected. This option is not enabled by default.
### Patches
The vulnerability has been fixed in mitmproxy 12.2.2 and above.
### Acknowledgements
We thank Yue (Knox) Liu (@yueyueL) for responsibly disclosing this vulnerability to the mitmproxy team.
### Timeline
- **2025-12-08**: Received initial report.
- **2025-12-09**: Verified report and confirmed receipt.
- **2026-01-02**: Informed researcher that patch will be part of the next regular patch release.
- **2026-04-12**: Published patch release and advisory.
In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication.
Only mitmproxy instances using the `proxyauth` option with LDAP are affected. This option is not enabled by default.
### Patches
The vulnerability has been fixed in mitmproxy 12.2.2 and above.
### Acknowledgements
We thank Yue (Knox) Liu (@yueyueL) for responsibly disclosing this vulnerability to the mitmproxy team.
### Timeline
- **2025-12-08**: Received initial report.
- **2025-12-09**: Verified report and confirmed receipt.
- **2026-01-02**: Informed researcher that patch will be part of the next regular patch release.
- **2026-04-12**: Published patch release and advisory.
ghsa CVSS3.1
4.8
Vulnerability type
CWE-90
Published: 14 Apr 2026 · Updated: 15 Apr 2026 · First seen: 14 Apr 2026