Medium

Samba certificate auto-enrollment GPO CA certificate installation over HTTP without verification

IdentifiersCVE-2026-3012CWE-494

CVE-2026-3012 is a flaw in Samba's certificate auto-enrollment Group Policy handling affecting Samba versions since 4.16. When certificate auto-enrollment is enabled on a domain member, Samba may fetch a CA certificate over plain HTTP and install it into the local trust store without proper verification. The vulnerable behavior occurs in the auto-enrollment GPO path used by domain members, where Samba follows a certificate retrieval URL pattern associated with Microsoft NDES even though a more secure encrypted LDAP channel is available for domain members. Because the CA certificate is obtained over an unencrypted and insufficiently validated channel, an attacker who can intercept or redirect the HTTP traffic can substitute an attacker-controlled CA certificate, which is then trusted by the affected host.

For your environment

Are you exposed to this one?

Mallory correlates every CVE against your assets, your vendors, and active adversary campaigns. Know which vulnerabilities matter for you, not just which ones are loud.

Start free trial

ANALYST BRIEF

Impact, mitigation & remediation

What it means. What to do now. Patch path, mitigations, and the assume-compromise checklist.

Impact

What an attacker gets, and what they’ve been doing with it.

Successful exploitation allows an attacker to cause installation of a malicious certificate authority certificate into the affected system's trust store. This can undermine the host's trust model and enable interception, spoofing, or impersonation of otherwise trusted communications, with high confidentiality and integrity impact. The published CVSS v3.1 vector is AV:A/AC:H/PR:N/UI:N/S:C/C:H/I:H/A:N with a base score of 8.0. No direct availability impact is described.

Mitigation

If you can’t patch tonight, do this now.

If immediate patching is not possible, disable the vulnerable certificate auto-enrollment GPO path so the affected code does not run. In particular, avoid enabling certificate auto-enrollment on domain members, and ensure Group Policy processing is not enabled where unnecessary. If smb.conf does not contain 'apply group policies = yes', the vulnerable code path does not execute. Also reduce exposure to local network interception or traffic redirection and avoid allowing CA certificate retrieval over unencrypted HTTP.

Remediation

Patch, then assume compromise.

Upgrade Samba to a fixed release. The issue is addressed in Samba 4.22.10, 4.23.8, and 4.24.3. The Samba fix removes the HTTP certificate download behavior and relies on LDAP values instead. Administrators should apply the vendor patch or upgrade promptly to a release containing the fix.

PUBLIC EXPLOITS

Exploits

No public exploits tracked yet. Mallory keeps watching.

VALID 0 / 0 TOTALView more in app

No public exploit code observed for this vulnerability.

EXPOSURE SURFACE

Affected products & vendors

Products and vendors Mallory has correlated with this vulnerability. Open in Mallory to drill down to specific CPE configurations and version ranges.

VendorProductType

Red HatEnterprise Linuxoperating_system

Red HatOpenshift Container Platformapplication

SambaSambaapplication

Vendor-confirmed product mapping. Mallory continuously reconciles this list against your asset inventory.

ACTIVITY FEED

Recent activity

14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

14 SOURCESView more in app

cvefeed high severityNews

May 27, 2026

CVE-2026-3012 - Samba: group policy certificate enrollment uses http:// without validation

A vulnerability in Samba's certificate auto-enrollment Group Policy handling that can allow an attacker able to intercept or redirect network traffic to provide a malicious CA certificate, leading to interception or spoofing of trusted communications.

sambaNews

Jan 1, 2026

Samba - Security Announcement Archive

A Samba vulnerability in certificate auto-enrollment where a CA certificate can be fetched over plain HTTP without verification instead of using protected LDAP, allowing interception and installation of an attacker-chosen certificate in the trust store.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets are affected, which adversaries are exploiting it right now, which detections to deploy, and what to do tonight.

Start free trial

Exposure mapping

Query your assets running an affected version, and investigate the blast radius.

Threat actor evidence

Every observed campaign linking this CVE to a named adversary.

Associated malware

Malware families riding this exploit, with evidence and IOCs.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Vendor-by-vendor mapping

Cross-references every affected SKU, including bundled OEM variants.

Social activity8

Community discussion across Reddit, Mastodon, and other social sources.

EXTERNAL REFERENCES

MITRE CVE

cve.org · CVE-2026-3012

NVD

nvd.nist.gov/vuln/detail/CVE-2026-3012

MITRE CWE · CWE-494

cwe.mitre.org

Vendor Advisory

bugzilla.samba.org/show_bug.cgi?id=16003

Mitigation

access.redhat.com/security/cve/CVE-2026-3012

Third Party Advisory

bugzilla.redhat.com/show_bug.cgi?id=2447319

Issue Tracking

access.redhat.com/errata/RHSA-2026:22644

Issue Tracking

access.redhat.com/errata/RHSA-2026:22963

access.redhat.com

access.redhat.com/errata/RHSA-2026:25049

access.redhat.com

access.redhat.com/errata/RHSA-2026:25979