High8.8Red Hat & Ubuntu Linux Updated
sudo LDAP provider searches entire directory tree for sudoRole objects by default, enabling privilege escalation
CVE-2026-14474 Published Jul 7, 2026Updated by vendor Jul 7, 2026
CVE-2026-14474
Affected products & platforms
Red Hat & Ubuntu LinuxUnclassified
Summary
sudo LDAP provider searches entire directory tree for sudoRole objects by default, enabling privilege escalation. Red Hat rates this important (CVSS 8.8). Weakness: CWE-1188. No fix erratum has been published yet; monitor the Red Hat CVE page and apply the RHSA when released.
Mitigation checklist
Recommended fix / mitigation
- Set ldap_sudo_search_base explicitly in /etc/sssd/sssd.conf to restrict the search to the designated sudoers container: [domain/example.com] ldap_sudo_search_base = ou=sudoers,dc=example,dc=com Additionally, restrict LDAP ACLs to prevent non-admin principals from creating sudoRole objects outside the designated sudoers container.
Official advisory · high-confidence parse· fetched 5 hours ago·verify at source
Discussion(0)
No comments yet. Share field notes, upgrade gotchas, or questions — verify against the vendor advisory before acting on community advice.
Sign in to join the discussion.