Skip to content
Threat Feed
high advisory

CVE-2026-14474 - SSSD LDAP sudo Provider Privilege Escalation

A vulnerability in SSSD's LDAP sudo provider, CVE-2026-14474, allows an authenticated attacker to achieve root-level privilege escalation by injecting a malicious sudoRole object into any writable LDAP subtree when the `ldap_sudo_search_base` option is not explicitly configured on SSSD-enrolled Linux hosts.

CVE-2026-14474 details a critical flaw within the SSSD (System Security Services Daemon) LDAP sudo provider, identified as having a CVSS v3.1 base score of 8.8. This vulnerability affects Linux systems where SSSD is used to manage sudo privileges via an LDAP directory, specifically when the ldap_sudo_search_base option is not explicitly defined in the SSSD configuration. In such a scenario, SSSD defaults to searching the entire LDAP directory tree for sudoRole objects. An authenticated attacker who possesses write access to any subtree within the LDAP directory can exploit this behavior. By injecting a specially crafted sudoRole object into their writable subtree, the attacker can grant themselves or other controlled accounts root-level sudo privileges on all SSSD-enrolled hosts that retrieve and process these LDAP sudo rules, leading to complete system compromise. This highlights the importance of explicit configuration and proper access controls within LDAP environments integrated with SSSD.

Attack Chain

  1. An authenticated attacker gains access to a user account within the target LDAP environment.
  2. The attacker identifies that SSSD on target Linux hosts is configured to use the LDAP sudo provider without explicitly setting the ldap_sudo_search_base option.
  3. The attacker leverages their authenticated access to confirm write permissions to any subtree within the LDAP directory, even if it is not the intended or traditional sudoRole search base.
  4. The attacker creates and injects a new, malicious sudoRole object into the writable LDAP subtree. This object is crafted to grant root-level sudo privileges (e.g., ALL=(ALL:ALL) ALL) to a user or group controlled by the attacker.
  5. When a user attempts to execute a command with sudo on an SSSD-enrolled host, SSSD queries the LDAP server for sudoRole objects across the entire directory tree due to the missing ldap_sudo_search_base configuration.
  6. SSSD discovers the attacker's injected sudoRole object during its broad LDAP search and interprets it as a legitimate sudo rule.
  7. SSSD processes the malicious sudoRole, effectively granting the specified attacker-controlled user or group root-level sudo privileges.
  8. The attacker can now execute arbitrary commands with sudo as the root user on any SSSD-enrolled Linux host configured with the vulnerable setup, achieving full system compromise.

Impact

Successful exploitation of CVE-2026-14474 results in immediate root-level privilege escalation on all affected Linux hosts configured to use the vulnerable SSSD LDAP sudo provider. This allows the attacker to fully compromise the integrity, confidentiality, and availability of the affected systems. An attacker can exfiltrate sensitive data, install backdoors, deploy malware (e.g., ransomware), or disrupt critical services. The broad scope of sudoRole application means a single malicious injection can affect numerous machines across an enterprise, leading to widespread organizational impact and potential regulatory violations.

Recommendation

  • Immediately update SSSD to the patched version once available to address CVE-2026-14474.
  • Explicitly configure the ldap_sudo_search_base option in your SSSD configuration files (/etc/sssd/sssd.conf) on all Linux hosts. Define a specific, secure base DN where sudoRole objects are expected, rather than allowing SSSD to search the entire LDAP tree.
  • Review and restrict write access permissions to all LDAP directory subtrees, ensuring only authorized administrators can modify entries relevant to sudoRole objects.
  • Regularly audit your LDAP directory for unauthorized or suspicious sudoRole objects that may have been injected.
  • Monitor sudo logs (e.g., /var/log/secure or journald) for unusual privilege escalation attempts or commands executed by newly privileged users on SSSD-enrolled systems.