diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
new file mode 100644
index 0000000000..ce54b2916f
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p1.patch
@@ -0,0 +1,131 @@
+From f21f87e0f64dc4aea8c9537f182282077ae6a37b Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Date: Mon, 23 Feb 2026 11:01:57 +1300
+Subject: [PATCH] CVE-2026-3012: do not fetch certificate over http
+
+In the case where a certificate was found via HTTP, it was trusted
+without verification and put in the global CA store.
+
+There is no means to check the certificate other than by comparing it
+to certificates we may have gathered via LDAP, but in that case there
+is no advantage over just using the LDAP-derived certificates.
+
+Using the LDAP certificates was already the fallback case if HTTP
+failed, so we just make it the default.
+
+The HTTP fetch depends on the NDES service, which is a variant of
+Simple Certificate Enrolment Protocol (SCEP, RFC8894), but in fact
+Samba implements none of that protocol other than the HTTP fetch. SCEP
+is for clients that are not true domain members. Domain members can
+access to certificates over LDAP. This patch is not reducing SCEP
+client support because Samba never had it.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
+
+Reported-by: Arad Inbar, DREAM Security Research Team
+Reported-by: Nir Somech, DREAM Security Research Team
+Reported-by: Ben Grinberg, DREAM Security Research Team
+
+CVE: CVE-2026-3012
+Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/f21f87e0f64dc4aea8c9537f182282077ae6a37b]
+
+Backport Changes:
+- Adapted python/samba/gp/gp_cert_auto_enroll_ext.py hunks to
+  Samba 4.19.9 context.
+- Omitted selftest/knownfail.d/gpo-auto-enrol because the Yocto
+  recipe does not run upstream Samba selftest.
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
+(cherry picked from commit f21f87e0f64dc4aea8c9537f182282077ae6a37b)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
+index df3b472..31de4b1 100644
+--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
+@@ -16,7 +16,6 @@
+
+ import os
+ import operator
+-import requests
+ from samba.gp.gpclass import gp_pol_ext, gp_applier, GPOSTATE
+ from samba import Ldb
+ from ldb import SCOPE_SUBTREE, SCOPE_BASE
+@@ -200,56 +199,24 @@ def get_supported_templates(server):
+     return out.strip().split()
+
+
+-def getca(ca, url, trust_dir):
+-    """Fetch Certificate Chain from the CA."""
++def getca(ca, trust_dir):
++    """Fetch a certificate from LDAP."""
+     root_cert = os.path.join(trust_dir, '%s.crt' % ca['name'])
+     root_certs = []
+
+-    try:
+-        r = requests.get(url=url, params={'operation': 'GetCACert',
+-                                          'message': 'CAIdentifier'})
+-    except requests.exceptions.ConnectionError:
+-        log.warn('Failed to establish a new connection')
+-        r = None
+-    if r is None or r.content == b'' or r.headers['Content-Type'] == 'text/html':
+-        log.warn('Failed to fetch the root certificate chain.')
+-        log.warn('The Network Device Enrollment Service is either not' +
+-                 ' installed or not configured.')
+-        if 'cACertificate' in ca:
+-            log.warn('Installing the server certificate only.')
+-            der_certificate = base64.b64decode(ca['cACertificate'])
+-            try:
+-                cert = load_der_x509_certificate(der_certificate)
+-            except TypeError:
+-                cert = load_der_x509_certificate(der_certificate,
+-                                                 default_backend())
+-            cert_data = cert.public_bytes(Encoding.PEM)
+-            with open(root_cert, 'wb') as w:
+-                w.write(cert_data)
+-            root_certs.append(root_cert)
+-        return root_certs
+-
+-    if r.headers['Content-Type'] == 'application/x-x509-ca-cert':
++    if 'cACertificate' in ca:
++        log.warn('Installing the server certificate only.')
++        der_certificate = base64.b64decode(ca['cACertificate'])
+         # Older versions of load_der_x509_certificate require a backend param
+         try:
+-            cert = load_der_x509_certificate(r.content)
++            cert = load_der_x509_certificate(der_certificate)
+         except TypeError:
+-            cert = load_der_x509_certificate(r.content, default_backend())
++            cert = load_der_x509_certificate(der_certificate,
++                                             default_backend())
+         cert_data = cert.public_bytes(Encoding.PEM)
+         with open(root_cert, 'wb') as w:
+             w.write(cert_data)
+         root_certs.append(root_cert)
+-    elif r.headers['Content-Type'] == 'application/x-x509-ca-ra-cert':
+-        certs = load_der_pkcs7_certificates(r.content)
+-        for i in range(0, len(certs)):
+-            cert = certs[i].public_bytes(Encoding.PEM)
+-            filename, extension = root_cert.rsplit('.', 1)
+-            dest = '%s.%d.%s' % (filename, i, extension)
+-            with open(dest, 'wb') as w:
+-                w.write(cert)
+-            root_certs.append(dest)
+-    else:
+-        log.warn('getca: Wrong (or missing) MIME content type')
+
+     return root_certs
+
+@@ -273,8 +240,7 @@ def changed(new_data, old_data):
+ def cert_enroll(ca, ldb, trust_dir, private_dir, auth='Kerberos'):
+     """Install the root certificate chain."""
+     data = dict({'files': [], 'templates': []}, **ca)
+-    url = 'http://%s/CertSrv/mscep/mscep.dll/pkiclient.exe?' % ca['hostname']
+-    root_certs = getca(ca, url, trust_dir)
++    root_certs = getca(ca, trust_dir)
+     data['files'].extend(root_certs)
+     global_trust_dir = find_global_trust_dir()
+     for src in root_certs:
+--
+2.43.0
diff --git a/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
new file mode 100644
index 0000000000..e2989dc075
--- /dev/null
+++ b/meta-networking/recipes-connectivity/samba/samba/CVE-2026-3012_p2.patch
@@ -0,0 +1,51 @@
+From 7337d99ed55c01cd5837029485cd971a48f761c2 Mon Sep 17 00:00:00 2001
+From: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Date: Thu, 26 Feb 2026 14:21:01 +1300
+Subject: [PATCH] CVE-2026-3012: gp_auto_enrol: skip CAs not found in
+ LDAP
+
+If a certificate is mentioned in a GPO but is not present as a
+cACertificate attribute on a pKIEnrollmentService object, we have no way
+of obtaining it, so we might as well forget it.
+
+BUG: https://bugzilla.samba.org/show_bug.cgi?id=16003
+
+CVE: CVE-2026-3012
+Upstream-Status: Backport [https://gitlab.com/samba-team/samba/-/commit/7337d99ed55c01cd5837029485cd971a48f761c2]
+
+Signed-off-by: Douglas Bagnall <douglas.bagnall@catalyst.net.nz>
+Reviewed-by: Jennifer Sutton <jennifersutton@catalyst.net.nz>
+(cherry picked from commit 7337d99ed55c01cd5837029485cd971a48f761c2)
+Signed-off-by: Ashishkumar Parmar <asparmar@cisco.com>
+---
+ python/samba/gp/gp_cert_auto_enroll_ext.py | 10 ++++++++++
+ 1 file changed, 10 insertions(+)
+
+diff --git a/python/samba/gp/gp_cert_auto_enroll_ext.py b/python/samba/gp/gp_cert_auto_enroll_ext.py
+index 815436e11e9c..de8b310afd95 100644
+--- a/python/samba/gp/gp_cert_auto_enroll_ext.py
++++ b/python/samba/gp/gp_cert_auto_enroll_ext.py
+@@ -452,11 +452,21 @@ class gp_cert_auto_enroll_ext(gp_pol_ext, gp_applier):
+                     # This is a basic configuration.
+                     cas = fetch_certification_authorities(ldb)
+                     for _ca in cas:
++                        if 'cACertificate' not in _ca:
++                            log.warning(f"ignoring CA '{_ca['name']}' with no "
++                                        "cACertificate in LDAP.")
++                            continue
++
+                         self.apply(guid, _ca, cert_enroll, _ca, ldb, trust_dir,
+                                    private_dir)
+                         ca_names.append(_ca['name'])
+                 # If EndPoint.URI starts with "HTTPS//":
+                 elif ca['URL'].lower().startswith('https://'):
++                    if 'cACertificate' not in ca:
++                        log.warning(f"ignoring CA '{ca['name']}' "
++                                    f"({ca['URL']}) with no "
++                                    "cACertificate in LDAP.")
++                        continue
+                     self.apply(guid, ca, cert_enroll, ca, ldb, trust_dir,
+                                private_dir, auth=ca['auth'])
+                     ca_names.append(ca['name'])
+--
+2.43.0
diff --git a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
index d50d9f5155..055e404bb9 100644
--- a/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
+++ b/meta-networking/recipes-connectivity/samba/samba_4.19.9.bb
@@ -24,6 +24,8 @@ SRC_URI = "${SAMBA_MIRROR}/stable/samba-${PV}.tar.gz \
            file://0005-Fix-pyext_PATTERN-for-cross-compilation.patch \
            file://0006-smbtorture-skip-test-case-tfork_cmd_send.patch \
            file://0007-Deleted-settiong-of-python-to-fix-the-install-confli.patch \
+           file://CVE-2026-3012_p1.patch \
+           file://CVE-2026-3012_p2.patch \
            "
 
 SRC_URI:append:libc-musl = " \
