CVE-2026-40606

EUVD-2026-24215

21.04.2026, 18:16

mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. Only mitmproxy instances using the proxyauth option with LDAP are affected. This option is not enabled by default. The vulnerability has been fixed in mitmproxy 12.2.2 and above.

LDAP Injection

Provider	Type	Base Score	Atk. Vector	Atk. Complexity	Priv. Required	Vector
GitHub_M	CNA	4.8 MEDIUM	NETWORK	HIGH	NONE	CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

Base Score

CVSS 3.x

EPSS Score

Percentile: Unknown

Early Detection

Affected products identified ahead of NVD analysis through intelligence sources.

Vendor	Product	Version	Source
mitmproxy	mitmproxy	𝑥 < 12.2.2	CNA

Debian Releases

Debian Product

Codename

mitmproxy

bookworm	vulnerable
bullseye	vulnerable
forky	vulnerable
sid	vulnerable

Common Weakness Enumeration

CWE-90 - Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
The software constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.

References

https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv