A path traversal flaw was found in SSSD's AD GPO provider. The ad_gpo_extract_smb_components() function does not sanitize .. sequences in the gPCFileSysPath LDAP attribute, allowing an attacker with AD GPO management access to write files outside the GPO cache directory as root. On default RHEL configurations with SELinux enforcing, this can be used to inject Kerberos configuration leading to authentication bypass.
Casky was already ahead
This CVE exploits attack patterns that Casky's 0matched skills already investigate — long before this vulnerability was disclosed. Claude's reasoning model maps these techniques to MITRE ATT&CK, so practitioners who ran these skills have already seen the threat behaviour in their findings.
CVE-2026-14476 is a critical path traversal vulnerability in SSSD's Active Directory GPO (Group Policy Object) provider that allows attackers with AD GPO management privileges to write arbitrary files as root outside the intended GPO cache directory. The flaw stems from insufficient sanitization of directory traversal sequences (..) in the gPCFileSysPath LDAP attribute within the ad_gpo_extract_smb_components() function. This matters significantly because GPO management is often delegated to mid-level administrators, and the vulnerability can be weaponized to inject malicious Kerberos configurations that bypass authentication mechanisms—particularly on default RHEL deployments with SELinux enforcing mode. Any organization using SSSD for AD integration, especially in enterprise Linux environments, faces exposure to privilege escalation and authentication bypass attacks.
While CVE-2026-14476 does not map to explicit MITRE ATT&CK techniques, Casky's security skills powered by Claude AI would detect attack patterns associated with CWE-23 (path traversal) through analysis of LDAP attribute manipulation, suspicious file system operations outside expected directories, and anomalous Kerberos configuration changes. Practitioners using Casky would observe detection signals around: (1) abnormal LDAP queries targeting gPCFileSysPath attributes with traversal sequences, (2) SSSD process writes to system directories like /etc/krb5.conf outside normal update patterns, and (3) authentication failures or unexpected Kerberos realm redirections following GPO synchronization events. These findings would correlate with privilege escalation indicators (T1548) and credential access techniques (T1110), enabling defenders to identify compromise attempts before authentication bypass succeeds.
Composite risk scoring from EPSS, CISA KEV, Shodan, and GreyNoise — 21 security APIs correlated into a single Casky Risk Score. Coming in Casky Pro. Join early access →
Casky has 0 skills that investigate the attack patterns behind CVE-2026-14476. Run one and get CVSS-scored findings in 3 minutes.
Run the skill that detects this →© 2026 Casky.AI, Inc. · AI Security Investigation