A flaw was found in SSSD's LDAP sudo provider. When the ldap_sudo_search_base option is not explicitly configured, SSSD searches the entire LDAP directory tree for sudoRole objects. An authenticated attacker with write access to any subtree can inject a sudoRole object granting root-level sudo privileges on all SSSD-enrolled hosts.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-14474 exploits a dangerous default behavior in SSSD's LDAP sudo provider where unconfigured systems search entire directory trees for sudoRole objects. An authenticated attacker with write permissions to any LDAP subtree can inject malicious sudoRole objects that grant root-level sudo privileges across all hosts using that SSSD instance. This vulnerability is particularly severe because it requires only basic LDAP write access—not necessarily admin credentials—yet enables complete privilege escalation and lateral movement across an entire infrastructure. Organizations relying on SSSD for centralized authentication and sudo management face critical risk, especially in environments where LDAP write access is broadly distributed or where subtree permissions are not carefully restricted.
While CVE-2026-14474 does not map to specific MITRE ATT&CK techniques, Casky's skill library helps practitioners identify the attack patterns through detection of privilege escalation indicators and unauthorized configuration changes. Practitioners using Casky would examine findings related to unexpected sudoRole object creation in LDAP directories, monitoring for T1548 (Abuse Elevation Control Mechanism) and T1098 (Account Manipulation) patterns. Security teams should focus on LDAP query logs showing sudoRole searches without explicit search_base configuration, unauthorized LDAP write operations, and subsequent sudo command execution with unexpected privilege levels. Implementing explicit ldap_sudo_search_base configuration, restricting LDAP write access by subtree, and monitoring sudoRole object modifications provides the strongest defense against this injection vector.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-14474. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation