CVE-2026-40606
ProxyAuth Addon LDAP Injection in mitmproxy
CVSS Score
4.8
EPSS Score
0.0%
EPSS Percentile
0th
mitmproxy is a interactive TLS-capable intercepting HTTP proxy for penetration testers and software developers and mitmweb is a web-based interface for mitmproxy. In mitmproxy 12.2.1 and below, the builtin LDAP proxy authentication does not correctly sanitize the username when querying the LDAP server. This allows a malicious client to bypass authentication. Only mitmproxy instances using the proxyauth option with LDAP are affected. This option is not enabled by default. The vulnerability has been fixed in mitmproxy 12.2.2 and above.
| CWE | CWE-90 |
| Vendor | mitmproxy |
| Product | mitmproxy |
| Published | Apr 21, 2026 |
Stay Ahead of the Next One
Get instant alerts for mitmproxy mitmproxy
Be the first to know when new medium vulnerabilities affecting mitmproxy mitmproxy are published โ delivered to Slack, Telegram or Discord.
Get Free Alerts โ
Free ยท No credit card ยท 60 sec setup
CVSS v3 Breakdown
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:L/I:L/A:N Attack Vector
Network
Attack Complexity
High
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None
Affected Versions
mitmproxy / mitmproxy
< 12.2.2