{"id":"PYSEC-2026-912","summary":"Denial of Service in python-ldap","details":"python-ldap before 3.4.0 is vulnerable to a denial of service when ldap.schema is used for untrusted schema definitions, because of a regular expression denial of service (ReDoS) flaw in the LDAP schema parser. By sending crafted regex input, a remote authenticated attacker could exploit this vulnerability to cause a denial of service condition.","aliases":["CVE-2021-46823","GHSA-qfr5-wjpw-q4c4","GHSA-r8wq-qrxc-hmcm"],"modified":"2026-07-08T06:49:50.975651370Z","published":"2026-07-06T08:03:30.875950Z","references":[{"type":"WEB","url":"https://github.com/python-ldap/python-ldap/security/advisories/GHSA-r8wq-qrxc-hmcm"},{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2021-46823"},{"type":"WEB","url":"https://exchange.xforce.ibmcloud.com/vulnerabilities/221507"},{"type":"PACKAGE","url":"https://github.com/python-ldap/python-ldap"},{"type":"PACKAGE","url":"https://pypi.org/project/python-ldap"},{"type":"ADVISORY","url":"https://github.com/advisories/GHSA-qfr5-wjpw-q4c4"}],"affected":[{"package":{"name":"python-ldap","ecosystem":"PyPI","purl":"pkg:pypi/python-ldap"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"0"},{"fixed":"3.4.0"}]}],"versions":["2.3.13","2.4.0","2.4.1","2.4.10","2.4.12","2.4.13","2.4.14","2.4.15","2.4.16","2.4.17","2.4.18","2.4.19","2.4.2","2.4.20","2.4.21","2.4.22","2.4.25","2.4.26","2.4.27","2.4.28","2.4.29","2.4.3","2.4.30","2.4.31","2.4.32","2.4.33","2.4.35","2.4.36","2.4.37","2.4.38","2.4.39","2.4.4","2.4.40","2.4.41","2.4.42","2.4.43","2.4.44","2.4.45","2.4.5","2.4.6","2.4.7","2.4.8","2.4.9","2.5.1","2.5.2","3.0.0","3.0.0b1","3.0.0b2","3.0.0b3","3.0.0b4","3.1.0","3.2.0","3.3.0","3.3.1"],"database_specific":{"source":"https://github.com/pypa/advisory-database/blob/main/vulns/python-ldap/PYSEC-2026-912.yaml"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H"}]}