CVE-2026-14474 PUBLISHED

Sssd: sssd: sudo ldap provider searches entire directory tree for sudorole objects by default, enabling privilege escalation

Assigner: redhat
Reserved: 02.07.2026 Published: 07.07.2026 Updated: 07.07.2026

A flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 8.8

Product Status

Vendor Red Hat
Product Red Hat Enterprise Linux 10
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 6
Versions Default: unknown
Vendor Red Hat
Product Red Hat Enterprise Linux 7
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 8
Versions Default: affected
Vendor Red Hat
Product Red Hat Enterprise Linux 9
Versions Default: affected
Vendor Red Hat
Product Red Hat OpenShift Container Platform 4
Versions Default: affected

Workarounds

Set ldap_sudo_search_base explicitly in /etc/sssd/sssd.conf to restrict the search to the designated sudoers container:

[domain/example.com] ldap_sudo_search_base = ou=sudoers,dc=example,dc=com

Additionally, restrict LDAP ACLs to prevent non-admin principals from creating sudoRole objects outside the designated sudoers container.

Credits

  • This issue was discovered by Ian Murphy (Red Hat).

References

Problem Types

  • Initialization of a Resource with an Insecure Default CWE