SSSD AD GPO Path Traversal Enables Root Write & Auth Bypass
CVE-2026-14476 Published on July 7, 2026
Sssd: sssd: gpo cache path traversal via unsanitized gpcfilesyspath allows kerberos authentication bypass
A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.
Vulnerability Analysis
CVE-2026-14476 is exploitable with network access, and requires user privileges. This vulnerability is consided to have a high level of attack complexity. The potential impact of an exploit of this vulnerability is considered to be very high.
Timeline
Reported to Red Hat.
Made public. 70 days later.
Weakness Type
Relative Path Traversal
The software uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize sequences such as ".." that can resolve to a location that is outside of that directory. This allows attackers to traverse the file system to access files or directories that are outside of the restricted directory.
Products Associated with CVE-2026-14476
stack.watch emails you whenever new vulnerabilities are published in Red Hat Enterprise Linux (RHEL) or Red Hat Openshift. Just hit a watch button to start following.