Medium severity6.5NVD Advisory· Published May 13, 2016· Updated May 6, 2026

CVE-2016-2860

Description

The newEntry function in ptserver/ptprocs.c in OpenAFS before 1.6.17 allows remote authenticated users from foreign Kerberos realms to bypass intended access restrictions and create arbitrary groups as administrators by leveraging mishandling of the creator ID.

Affected products

Openafs/Openafs
cpe:2.3:a:openafs:openafs:*:*:*:*:*:*:*:*
Range: <=1.6.16
Debian/Debian Linux
cpe:2.3:o:debian:debian_linux:8.0:*:*:*:*:*:*:*

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openafs.org/pages/security/OPENAFS-SA-2016-001.txtnvdVendor Advisory
www.debian.org/security/2016/dsa-3569nvd
lists.openafs.org/pipermail/openafs-announce/2016/000496.htmlnvd
www.openafs.org/dl/openafs/1.6.17/RELNOTES-1.6.17nvd

News mentions

No linked articles in our index yet.

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000