Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-v66z-2xeg-63gv
Vulnerability ID VCID-v66z-2xeg-63gv
Aliases CVE-2026-40606
GHSA-527g-3w9m-29hv
PYSEC-2026-92
Summary mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. Only mitmproxy instances using the proxyauth option with LDAP are affected. This option is not enabled by default. The vulnerability has been fixed in mitmproxy 12.2.2 and above.
Status Published
Exploitability 0.5
Weighted Severity 4.3
Risk 2.1
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-90 Improper Neutralization of Special Elements used in an LDAP Query ('LDAP Injection')
System Score Found at
epss 0.00092 https://api.first.org/data/v1/epss?cve=CVE-2026-40606
cvssv3.1 4.8 https://github.com/mitmproxy/mitmproxy
generic_textual MODERATE https://github.com/mitmproxy/mitmproxy
cvssv3.1 4.8 https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv
generic_textual MODERATE https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv
ssvc Track https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv
cvssv3.1 4.8 https://nvd.nist.gov/vuln/detail/CVE-2026-40606
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-40606
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-40606
https://github.com/mitmproxy/mitmproxy
https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv
https://nvd.nist.gov/vuln/detail/CVE-2026-40606
1134620 https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1134620
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/mitmproxy/mitmproxy
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:N/T:P/P:M/B:A/M:M/D:T/2026-04-22T13:25:44Z/ Found at https://github.com/mitmproxy/mitmproxy/security/advisories/GHSA-527g-3w9m-29hv
Vector: CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-40606
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.25857
EPSS Score 0.00092
Published At May 30, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-05-30T20:38:15.622115+00:00 Pypa Importer Import https://github.com/pypa/advisory-database/blob/main/vulns/mitmproxy/PYSEC-2026-92.yaml 38.6.0