InspIRCd Security Advisory 2026-01

Summary

The LDAP modules before v4.11.0 do not escape user-provided values before using them in LDAP search filters. This vulnerability can be used to access an LDAP-restricted server (if ldapauth is used) or gain access to a LDAP-restricted operator account (if ldapoper is used) without knowing the correct username if the password of any user is known.

Thanks to Tristan who independently reported this vulnerability a few days after it was discovered.

Details

ldapauth

InspIRCd uses an LDAP search filter to find the user to authenticate as. If a user connects using an LDAP name containing special characters like \2a this will be interpreted as an escape sequence by the LDAP library. This can be used to either match against any user (*) or enumerate users (foo*).

The first result the search filter finds will be used as the user to authenticate against LDAP as allowing an attacker to enumerate commonly used passwords to try and gain access to the server.

It is not expected that this vulnerability will affect many users as LDAP is not used on many networks.

ldapoper

InspIRCd uses an LDAP search filter to find the oper account to authenticate as. If the configuration contains an operator account containing a special character like * it will be used unescaped in the search filter. This can be used to either match against any user (*) or enumerate users (foo*).

The first result the search filter finds will be used as the user to authenticate against LDAP as allowing an attacker to enumerate commonly used passwords to try and gain access to an operator account.

It is not expected that this vulnerability will affect many users as LDAP is not used on many networks and it requires a specific unusual server operator configuration.

Affected Versions

This vulnerability is present in the following releases:

• v4.10.1
• v4.10.0
• v4.9.0
• v4.8.0
• v4.7.0
• v4.6.0
• v4.5.0
• v4.4.0
• v4.3.0
• v4.2.0
• v4.1.0
• v4.0.1
• v4.0.0

It is also present in all older releases but these branches are no longer receiving security fixes.

Recommended Action

This vulnerability is fixed in version 4.11.0. It is strongly recommended that all affected users upgrade.

If upgrading is not possible then the ldapauth and ldapoper modules should be temporarily unloaded.

If it is not possible to temporarily unload the ldapauth module then the following actions should be taken:

• Add a Q-line on *\* if <ldapauth:field> is set to nickname (this is the default).
• Add a G-line on *\*@* if <ldapauth:field> is set to username.
• Switch to a different method and apply the appropriate fix if <ldapauth:field> is set to password.

If it is not possible to temporarily unload the ldapoper module then make sure that no server operator accounts contain any of the following characters in <oper:name>: *\().

History

• 2008-03-14 — The ldapauth module was added with the vulnerability.
• 2013-03-29 — The vulnerability was introduced to the ldapoper module via code copied from the ldapauth module
• 2026-05-29 — The vulnerability was discovered by the InspIRCd team whilst porting some code from Anope.
• 2026-05-31 — A fix was prepared by the InspIRCd team.
• 2026-06-03 — The vulnerability was independently reported to the InspIRCd team
• 2025-06-06 — InspIRCd v4.11.0 was released with a fix for the vulnerability.

References

• InspIRCd commit b7e5357b.

• InspIRCd commit 6319ae4f.