Severity by source
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:L/VA:L/SC:L/SI:L/SA:L/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:Y/R:X/V:X/RE:X/U:X
Lifecycle Timeline
4DescriptionCVE.org
LDAP filter injection vulnerability in Yandex Database prior to 25.3.1.25 allows a remote attacker with valid LDAP credentials to bypass group membership checks resulting in unauthorized access to the database.
AnalysisAI
LDAP filter injection in Yandex Database (all versions prior to 25.3.1.25) enables a network-accessible attacker holding valid LDAP credentials to manipulate the group membership validation queries sent to the directory service, bypassing access controls and gaining unauthorized database access beyond their permitted scope. The CVSS 4.0 vector (AV:N/AC:L/AT:N/PR:L/UI:N) and the Automatable:Yes (AU:Y) attribute confirm this is a low-complexity, scriptable attack requiring no user interaction, increasing risk in environments with large LDAP user populations. No public exploit code has been identified and the vulnerability is not listed in CISA KEV at time of analysis; a vendor-released patch is available at version 25.3.1.25.
Technical ContextAI
Yandex Database (YDB) supports LDAP-based authentication with group membership enforcement to restrict database access. The vulnerable component is the logic that constructs LDAP search filter strings for group membership validation - CWE-280 (Improper Handling of Insufficient Permissions or Privileges) identifies the root cause as the application's failure to correctly enforce group-level access restrictions when attacker-controlled input is included in LDAP filter expressions. LDAP filter injection occurs when user-supplied values such as usernames or attribute fields are concatenated into LDAP search filters without escaping LDAP metacharacters (e.g., parentheses, asterisks, null bytes, backslashes), allowing the attacker to alter filter semantics so the directory service incorrectly reports group membership. This is the directory-service analog of SQL injection. The CPE string cpe:2.3:a:yandex:yandex_database:*:*:*:*:*:*:*:* scopes the vulnerability to all releases of the yandex_database application product up to the fixed version, with no lower-bound version floor confirmed.
RemediationAI
The primary remediation is upgrading Yandex Database to version 25.3.1.25 or later, which contains the vendor-released patch addressing the LDAP filter injection flaw; the vendor security changelog at https://ydb.tech/docs/ru/security-changelog should be consulted for upgrade instructions. If immediate patching is not operationally feasible, compensating controls include: restricting LDAP credential issuance to only operationally necessary accounts, directly shrinking the population of principals who could exploit this flaw; deploying network-level access controls (firewall rules, VPC segmentation) to limit which source hosts can reach the YDB LDAP authentication interface, preventing external exploitation; and enabling enhanced audit logging on the LDAP directory server to detect anomalous filter queries containing metacharacters such as parentheses or asterisks, which would indicate active exploitation attempts. Note that all compensating controls reduce attack surface without eliminating the underlying injection flaw - patching to 25.3.1.25 remains mandatory.
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-33900
GHSA-4x3h-p6xh-h5x5