CVE-2026-40606 MEDIUM

CVE-2026-40606: ProxyAuth Addon LDAP Injection in mitmproxy

Vendor Mitmproxy
Product mitmproxy
Weakness CWE-90 · LDAP injection
Published April 21, 2026
Last update April 22, 2026

CVSS base score

4.8/10
Attack vector Network
Attack complexity High
Privileges required None
User interaction None
Confidentiality Low
Integrity Low

CVSS vector

CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N

What the vulnerability does

01Description

mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. Only mitmproxy instances using the proxyauth option with LDAP are affected. This option is not enabled by default. The vulnerability has been fixed in mitmproxy 12.2.2 and above.

Key dates

02Disclosure timeline

April 21, 2026 CVE published
April 22, 2026 Record updated