Yamcs CVE-2026-42568
MEDIUMSeverity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Primary rating from Vendor (https://github.com/yamcs/yamcs) · only source for this CVE.
CVSS VectorVendor: https://github.com/yamcs/yamcs
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 6 maven packages depend on org.yamcs:yamcs-core (6 direct, 0 indirect)
Ecosystem-wide dependent count for version 5.12.7.
DescriptionCVE.org
Summary
An LDAP injection vulnerability exists in org.yamcs.security.LdapAuthModule when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping.
Root Cause
File: yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java:233
The username parameter is inserted directly into an LDAP search filter without RFC 4515 escaping:
// VULNERABLE
var filter = userFilter.replace("{0}", username);
var searchResult = getSingleResult(ctx, userBase, filter, controls);LDAP wildcard characters (*, (, )) are accepted without sanitization.
Impact
With a known valid password, username=* authenticates as the first user returned by the LDAP search - enabling horizontal privilege escalation between accounts sharing similar passwords or when the attacker knows one valid password.
This affects deployments that use org.yamcs.security.LdapAuthModule in their etc/security.yaml configuration file.
Proof of Concept
curl -X POST "http://TARGET:8090/auth/token" \
-d "grant_type=password&username=*&password=known_password"
# Returns token for first matching LDAP userFix
Apply RFC 4515 escaping before filter construction:
private static String escapeLdapFilter(String input) {
return input
.replace("\\", "\\5c")
.replace("*", "\\2a")
.replace("(", "\\28")
.replace(")", "\\29")
.replace("\0", "\\00");
}
var filter = userFilter.replace("{0}", escapeLdapFilter(username));AnalysisAI
LDAP injection in Yamcs LdapAuthModule (yamcs-core < 5.12.7) enables horizontal privilege escalation for authenticated low-privilege users. By submitting a wildcard character as the username alongside a single known valid LDAP password, an attacker causes the unescaped LDAP search filter to match the first user returned by the directory query, effectively authenticating as that account. A proof-of-concept exploit is publicly available in the GitHub advisory; no CISA KEV listing exists, but the low attack complexity and published PoC make this a credible threat for any Yamcs deployment using LDAP authentication.
Technical ContextAI
Yamcs (Yet Another Mission Control System) is a Java-based spacecraft operations framework; the affected component is the Maven artifact org.yamcs:yamcs-core. The vulnerability is rooted in CWE-90 (Improper Neutralization of Special Elements in an LDAP Query). In LdapAuthModule.java at line 233, the username parameter is interpolated directly into an LDAP search filter string via a simple string replace - userFilter.replace("{0}", username) - without applying RFC 4515 escape sequences for special characters such as *, (, ), \, and \0. Because LDAP wildcard semantics are preserved, a submitted username of * expands the filter to match all directory entries, and the code returns the first result. The fix requires pre-processing input through an RFC 4515-compliant escape function before filter construction, as documented in the advisory.
RemediationAI
Vendor-released patch: yamcs-core 5.12.7 (and 5.13.0). Upgrade the org.yamcs:yamcs-core Maven dependency to version 5.12.7 or 5.13.0 immediately; release notes for 5.12.7 confirm security updates are included (https://github.com/yamcs/yamcs/releases/tag/yamcs-5.12.7). If immediate upgrade is not feasible, the primary compensating control is to disable the LdapAuthModule entirely by removing or replacing the org.yamcs.security.LdapAuthModule entry in etc/security.yaml with an alternative authentication provider - this eliminates the attack surface entirely but requires an alternative identity store. A secondary control is to restrict network access to the Yamcs auth endpoint (default port 8090) to trusted networks only, limiting the pool of potential attackers to those already inside the perimeter; this does not eliminate the vulnerability but raises the bar for exploitation. Blocking wildcard-containing usernames at a reverse proxy or WAF layer (e.g., rejecting requests where the username field contains *, (, or )) is a viable short-term filter, though WAF bypass risks apply. No side effects are expected from the upstream patch as it only adds RFC 4515 escaping to the filter-construction code path.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same weakness CWE-90 – LDAP Injection
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
GHSA-cqh3-jg8p-336j