Home/ Blog/ Security news/ Article
Blog · Security news

A default in Red Hat's Linux login system lets one directory account seize root on every server

CVE-2026-14474: when SSSD's LDAP sudo provider has no explicit search base, one directory account can plant a rule that grants root on every enrolled Linux

Long row of server racks with one rack glowing red among the dark units

A privilege escalation flaw disclosed today does not live in code you can patch away. It lives in a default setting that is probably already active on your servers. Red Hat assigned CVE-2026-14474 to the System Security Services Daemon (SSSD), the service that most enterprise Linux hosts use to authenticate against a central directory. When SSSD resolves sudo rules over LDAP and nobody has told it where to look, it walks the whole directory. That one default converts the ability to write an object anywhere in the directory into root across the fleet.

Red Hat scored it 8.8 (high), reachable over the network by an already-authenticated user who starts with only low privileges, and classified it as CWE-1188, insecure default initialization. That classification is the whole story. This is not a bug an attacker triggers with a crafted packet. It is a footgun that ships pointed at your foot.

What the flaw actually does

SSSD can resolve sudo rules from a directory using the sudo_provider setting. Sudo rules in LDAP are stored as sudoRole objects, which say who may run what, and on which hosts. Administrators are meant to keep those objects in a dedicated container, for example ou=sudoers,dc=example,dc=com, and point SSSD at it with the ldap_sudo_search_base option.

The flaw is what happens when that option is left unset. Rather than failing closed or narrowing the scope, SSSD falls back to the top of the domain and reads the full subtree, per Red Hat's bug report. Every sudo rule anywhere in the directory now counts. An authenticated user who can add an object to any branch they control can create one that hands their own account root, mark it to apply to all machines, and watch every host that reads this directory obey it.

Which sudo providers are exposed

The exposure follows the code path, not the directory brand. The ldap and ad (Active Directory) providers both run the affected lookup, because the Active Directory provider hands sudo resolution to the same routine. The ipa provider, used with FreeIPA, resolves sudo a different way and is not affected.

SSSD sudo providerExposed by defaultWhy
ldapYesSearches the entire directory tree for sudo rules when no search base is set
ad (Active Directory)YesHands sudo lookups to the same LDAP routine
ipa (FreeIPA)NoUses a separate sudo resolution path that is not affected
Source: Red Hat Bugzilla 2496556 for CVE-2026-14474.

Red Hat lists the affected package across Red Hat Enterprise Linux versions 7 through 10, and in OpenShift Container Platform 4. SSSD is not a Red Hat exclusive, though. It is the standard directory client on Fedora, AlmaLinux, Rocky, and is widely deployed on Ubuntu and Debian hosts joined to LDAP or Active Directory. If your Linux fleet pulls sudo rules from a directory, this is your default to check.

Why delegated administration makes this worse

The precondition, write access to some part of the directory, sounds like a high bar until you remember how large directories are actually run. Delegated administration is the norm: the team that owns one organizational unit gets write access to that branch so they can manage their own users, groups, and service accounts. That delegation is normally treated as safe, because a branch admin can only touch their branch.

This flaw inverts that assumption. With the sudo search base unset, an object written into any delegated branch is still read fleet-wide. The more you have delegated write access down the tree, the larger the set of accounts that can quietly escalate to root everywhere. A single compromised low-privilege service account with write access to one container becomes a path to the whole estate. That is the real blast radius, and it is bigger in mature, heavily-delegated environments than in small flat ones.

Set the search base today, then hunt the directory

At the time of writing there is no fixed SSSD package published, and the Red Hat tracker is still open. Waiting for a patch is the wrong reflex here anyway, because both the exposure and the fix already live in your configuration. Two actions, in order.

First, close the default. On every host that uses an ldap or ad sudo provider, set ldap_sudo_search_base in sssd.conf to the specific container that holds your sudo rules, then restart the service and clear the SSSD cache. Confirm no host is running a sudo provider with that option blank. This is the change that actually removes the exposure, and you can make it now.

Second, treat the directory as the crime scene, not just the hosts. A planted sudo rule sits in the directory and keeps applying to every host that reads it until someone deletes the object, so patching a host does not undo it. Enumerate every sudoRole object in your directory and flag any that sit outside your intended sudoers container, and any that grant root broadly (a sudoUser or sudoHost value of ALL is the tell). In MITRE ATT&CK terms this is abuse of an elevation control mechanism (T1548) reached through account manipulation (T1098), so your detection should watch for new or modified sudo objects in the directory and for accounts suddenly resolving root on hosts they never had before. Alerting on directory writes to sudo objects, and on unexpected root sessions, is what catches an abuse of this in the window before you have locked every config down.

No public exploitation has been reported as of publication, and there is no public proof-of-concept. That is the good news and the reason to move now: the fix is a settings change you control, and the honest window to make it is before someone writes the object rather than after.

Topics

Frequently asked questions

What is CVE-2026-14474?

CVE-2026-14474 is a privilege escalation flaw in SSSD, the identity daemon on most enterprise Linux. When its LDAP sudo provider has no explicit search base configured, SSSD searches the entire directory for sudo rules, so any directory write can grant root. Red Hat rates it 8.8.

Which systems are affected?

Hosts using SSSD with the ldap or ad (Active Directory) sudo provider and no explicit ldap_sudo_search_base are exposed. Red Hat lists RHEL 7, 8, 9, 10, and OpenShift 4. The ipa (FreeIPA) provider is not affected. SSSD also ships on Fedora, AlmaLinux, Rocky, Ubuntu, and Debian.

Is there a patch for CVE-2026-14474?

No fixed SSSD package had been published at the time of writing, and Red Hat's tracker was still open. The mitigation does not need a patch: set ldap_sudo_search_base explicitly to the container that holds your sudo rules, then restart SSSD and clear its cache.

How do I know if I am exposed?

Check sssd.conf on each host. If a domain uses sudo_provider = ldap or ad and ldap_sudo_search_base is unset, that host searches the whole directory and is exposed. Hosts using sudo_provider = ipa, or with an explicit narrow search base, are not.

Is CVE-2026-14474 being exploited?

No public exploitation and no proof-of-concept had been reported as of publication. The precondition is write access to some part of the directory, so the practical risk is highest in large, heavily-delegated LDAP or Active Directory environments where many accounts hold write access to a branch.

What should defenders do first?

Set ldap_sudo_search_base explicitly on every host using an ldap or ad sudo provider, then restart SSSD and clear its cache. After that, audit the directory for sudoRole objects outside your intended sudoers container, especially any with a sudoUser or sudoHost value of ALL.

Ready to meet the Guardians?

Deploys fast - agentless for monitoring and cloud, a lightweight agent for deep endpoint security. Just Suriq, standing watch.