Critical Drupal SAML SSO auth bypass and high-severity Samba flaws disclosed
Drupal disclosed SA-CONTRIB-2026-031, a critical authentication bypass vulnerability in the SAML SSO - Service Provider module affecting versions prior to 3.1.4. The Canadian Centre for Cyber Security warned that organizations using the product should review Drupal’s guidance and apply the vendor update, as the flaw could allow unauthorized access through affected single sign-on deployments.
Separately, Samba maintainers announced upcoming security releases for versions 4.22, 4.23, and 4.24 to address six vulnerabilities spanning file services, domain members, and Active Directory Domain Controller components. A follow-up correction said a CVSS 10.0 file-services issue affects uncommon configurations rather than some configurations, and clarified that one Active Directory-related flaw impacts domain members rather than AD domain controllers; administrators were urged to deploy the Samba updates promptly after release.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
4 events from the most recent confirmed update back to the earliest known activity.
Samba postpones April 9 security releases after fix issue found
Douglas Bagnall announced that the Samba security releases planned for April 9, 2026 were postponed after the team discovered a problem in one of the fixes. Samba said a new release date would be announced as soon as possible and advised administrators to remain ready to update promptly once releases are available.
Samba corrects scope details for two upcoming vulnerabilities
In a follow-up message, Douglas Bagnall corrected earlier descriptions of two Samba issues, clarifying that a CVSS 10.0 file services flaw affects uncommon configurations and that an Active Directory-related issue affects domain members rather than AD domain controllers. Administrators were advised to update soon after the fixes became available.
Samba announces upcoming April 9 security releases
Douglas Bagnall announced that Samba security updates for versions 4.22, 4.23, and 4.24 were scheduled for release on April 9, 2026. The notice said the release would address six vulnerabilities affecting file services, domain members, and AD DC components, with CVSS scores ranging from 6.5 to 10.0.
Drupal discloses critical SAML SSO authentication bypass flaw
Drupal published security advisory SA-CONTRIB-2026-031 for a critical authentication bypass vulnerability in the SAML SSO - Service Provider product affecting versions prior to 3.1.4. The Canadian Centre for Cyber Security urged administrators to review Drupal's guidance and apply the necessary updates.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
3 references tracked. Mallory keeps watching after this page renders.
oss-sec: Re: Re: Heads-up: Upcoming Samba security releases (2026-04-09)
seclists.org
Open sourceoss-sec: Re: Heads-up: Upcoming Samba security releases (2026-04-09)
seclists.org
Open sourceDrupal security advisory (AV26-308) - Canadian Centre for Cyber Security
cyber.gc.ca
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Samba Command Injection Flaws Expose Internet-Facing Servers to Remote Takeover
Multiple critical Samba flaws have highlighted how non-default but dangerous configurations can turn exposed file-sharing infrastructure into a remote code execution path. `CVE-2025-10230` affects Samba's WINS server on Active Directory Domain Controllers when WINS support is enabled and a non-empty `wins hook` is configured, allowing an unauthenticated attacker to send a crafted WINS registration packet to UDP port `137` and inject shell metacharacters into a command executed by Samba, potentially with root privileges. Separately, `CVE-2026-4480` and `CVE-2026-4408`, both rated `CVSS 10.0`, affect Samba's printing subsystem and DCE/RPC SAMR server when administrators use vulnerable `print command` or `check password script` settings with `%J` or `%u` substitution characters. Samba issued fixes for the WINS flaw in versions `4.23.2`, `4.22.5`, and `4.21.9`, and for the later command-injection issues in `4.22.10`, `4.23.8`, and `4.24.3`. Reporting on internet exposure said more than 63,000 Samba assets were reachable on TCP `445`, underscoring the risk that misconfigured public SMB services could be used for server takeover, credential theft, ransomware deployment, and lateral movement. Defenders were urged to patch affected releases, audit `smb.conf` for risky `wins hook`, `print command`, and password-check script settings, monitor UDP `137` and SMB activity for suspicious behavior, and restrict external access with firewalls, VPNs, or IP allowlists.
Jun 29, 2026
Critical Samba WINS Command Injection Vulnerability Allowing Unauthenticated RCE on Domain Controllers
Samba has released a security update to address a critical remote command execution (RCE) vulnerability, tracked as CVE-2025-10230, which affects its Windows Internet Name Service (WINS) implementation when used as an Active Directory (AD) domain controller. The flaw arises because Samba does not strictly validate the wins hook script command when processing registration messages, allowing unauthenticated attackers to craft special hostnames that inject arbitrary commands into the target server. This vulnerability is rated with a maximum CVSS score of 10.0, indicating its severity and the potential for complete system compromise. The issue impacts multiple versions of Samba, specifically versions up to 4.23.1, 4.22.4, and 4.21.8, but only when Samba is configured as a domain controller with WINS support enabled and the wins hook parameter set. Systems running unaffected versions, such as Samba 4.23.2, 4.22.5, and 4.21.9 or later, are not vulnerable. The vulnerability allows attackers to execute commands with the privileges of the Samba process, which could lead to full control over the affected domain controller. Exploitation does not require authentication, significantly increasing the risk to exposed systems. Samba has released patched versions to address the flaw, and administrators are strongly urged to upgrade to the latest secure releases as soon as possible. As a temporary mitigation, organizations can disable the wins hook parameter and ensure that WINS support is not enabled unless absolutely necessary. The vulnerability is not enabled by default, but environments that have manually enabled WINS support and the wins hook parameter are at immediate risk. Security advisories recommend that users review their Samba configurations and apply the official patches or mitigations without delay. The flaw was publicly disclosed in mid-October 2025, and security researchers have highlighted the ease of exploitation and the critical nature of the risk. Organizations running Samba as an AD domain controller should prioritize remediation efforts to prevent potential compromise. The vulnerability underscores the importance of strict input validation and secure configuration practices in critical infrastructure components. The official Samba project has provided detailed guidance and download links for the patched versions. Failure to address this vulnerability could result in significant operational and security impacts, including domain-wide compromise and lateral movement by attackers. Security teams are advised to monitor for signs of exploitation and to audit their Samba deployments for vulnerable configurations.
Jun 29, 2026Samba fixes unauthenticated and low-privilege RCE flaws in SAMR and printing
Samba released security updates `4.24.3`, `4.23.8`, and `4.22.10` to fix six vulnerabilities affecting SMB, Active Directory, printing, and DCE/RPC components. The most serious issues are **CVE-2026-4408** and **CVE-2026-4480**, command-injection flaws that can lead to remote code execution in specific configurations. **CVE-2026-4408** affects the SAMR DCE/RPC service when `samba-dcerpcd` is used with the `check password script` option and unsafe `%u` expansion, while **CVE-2026-4480** affects the printing subsystem because Samba passed a client-controlled job description through the `%J` substitution in `print command` without properly escaping shell metacharacters.
Jun 29, 2026