Critical Samba Vulnerability (CVE-2026-4480) Enables Unauthenticated Remote Code Execution
A maximum-severity flaw (CVE-2026-4480, CVSS 10.0) has been discovered in Samba’s printing subsystem, allowing unauthenticated remote attackers to execute arbitrary commands on vulnerable servers. The vulnerability stems from improper handling of the %J substitution character in Samba’s print command configuration, which fails to sanitize shell metacharacters in client-controlled job descriptions.
Exploiting the flaw requires no credentials, as Samba print servers permit guest printing by default. Attackers with network access can achieve full remote code execution (RCE) without user interaction, posing a severe risk to enterprise environments where Samba is commonly deployed as a Windows-compatible print server on Linux/Unix systems.
Affected Systems & Mitigations
The flaw impacts all Samba versions where the print command setting includes %J without proper escaping. Servers using printing = cups or printing = iprint are unaffected, as are those that omit %J entirely. Partial mitigation is possible by wrapping %J in single quotes ('%J'), though this does not eliminate all risks.
The Samba team has released patches in three stable versions:
- Samba 4.22.10
- Samba 4.23.8
- Samba 4.24.3
For immediate protection, administrators are advised to upgrade or apply workarounds, such as removing %J from the print command or restricting guest printing access. The vulnerability was addressed by developers Stefan Metzmacher and Douglas Bagnall, with the flaw’s unauthenticated nature and Samba’s widespread use underscoring the urgency of patching.
Source: https://cyberpress.org/critical-samba-vulnerability/
Samba TPRM report: https://www.rankiteo.com/company/sambainc
"id": "sam1780043088",
"linkid": "sambainc",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'type': 'Enterprise'}],
'attack_vector': 'Network',
'description': 'A maximum-severity flaw (CVE-2026-4480, CVSS 10.0) has been '
'discovered in Samba’s printing subsystem, allowing '
'unauthenticated remote attackers to execute arbitrary '
'commands on vulnerable servers. The vulnerability stems from '
'improper handling of the `%J` substitution character in '
'Samba’s print command configuration, which fails to sanitize '
'shell metacharacters in client-controlled job descriptions. '
'Exploiting the flaw requires no credentials, as Samba print '
'servers permit guest printing by default. Attackers with '
'network access can achieve full remote code execution (RCE) '
'without user interaction, posing a severe risk to enterprise '
'environments where Samba is commonly deployed as a '
'Windows-compatible print server on Linux/Unix systems.',
'impact': {'operational_impact': 'Full remote code execution (RCE) on '
'vulnerable servers',
'systems_affected': 'Samba print servers on Linux/Unix systems'},
'post_incident_analysis': {'corrective_actions': 'Patches released by Samba '
'team (Stefan Metzmacher and '
'Douglas Bagnall)',
'root_causes': 'Improper handling of the `%J` '
'substitution character in Samba’s '
'print command configuration, '
'failing to sanitize shell '
'metacharacters in '
'client-controlled job '
'descriptions'},
'recommendations': 'Upgrade to patched versions (Samba 4.22.10, 4.23.8, '
'4.24.3), remove `%J` from print command, or restrict '
'guest printing access. Apply workarounds such as wrapping '
"`%J` in single quotes (`'%J'`).",
'references': [{'source': 'Samba Security Advisory'}],
'response': {'containment_measures': 'Upgrade to patched versions (Samba '
'4.22.10, 4.23.8, 4.24.3), remove `%J` '
'from print command, or restrict guest '
'printing access',
'remediation_measures': 'Apply patches or workarounds such as '
'wrapping `%J` in single quotes '
"(`'%J'`)"},
'title': 'Critical Samba Vulnerability (CVE-2026-4480) Enables '
'Unauthenticated Remote Code Execution',
'type': 'Remote Code Execution (RCE)',
'vulnerability_exploited': 'CVE-2026-4480'}