What is the CVSS score of CVE-2026-42568?

CVE-2026-42568 has a CVSS 3.1 base score of 4.3 (Medium). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N.

Is there a patch available for CVE-2026-42568?

Yes, a patch is available for CVE-2026-42568. Update the affected software to the latest version immediately.

Yamcs CVE-2026-42568

MEDIUM

LDAP Injection (CWE-90)

2026-05-26 https://github.com/yamcs/yamcs

GHSA-cqh3-jg8p-336j

Privilege Escalation Java LDAP Code Injection

4.3

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

Low

Integrity

None

Availability

None

Lifecycle Timeline

Source Code Evidence Fetched

May 27, 2026 - 00:04 vuln.today

Analysis Generated

May 27, 2026 - 00:04 vuln.today

Blast Radius

ecosystem impact

† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth

6 maven packages depend on org.yamcs:yamcs-core (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.12.7.

DescriptionNVD

Summary

An LDAP injection vulnerability exists in org.yamcs.security.LdapAuthModule when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping.

Root Cause

File: yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java:233

The username parameter is inserted directly into an LDAP search filter without RFC 4515 escaping:

java

// VULNERABLE
var filter = userFilter.replace("{0}", username);
var searchResult = getSingleResult(ctx, userBase, filter, controls);

LDAP wildcard characters (*, (, )) are accepted without sanitization.

Impact

With a known valid password, username=* authenticates as the first user returned by the LDAP search - enabling horizontal privilege escalation between accounts sharing similar passwords or when the attacker knows one valid password.

This affects deployments that use org.yamcs.security.LdapAuthModule in their etc/security.yaml configuration file.

Proof of Concept

bash

curl -X POST "http://TARGET:8090/auth/token" \
  -d "grant_type=password&username=*&password=known_password"
# Returns token for first matching LDAP user

Fix

Apply RFC 4515 escaping before filter construction:

java

private static String escapeLdapFilter(String input) {
    return input
        .replace("\\", "\\5c")
        .replace("*",  "\\2a")
        .replace("(",  "\\28")
        .replace(")",  "\\29")
        .replace("\0", "\\00");
}
var filter = userFilter.replace("{0}", escapeLdapFilter(username));

AnalysisAI

LDAP injection in Yamcs LdapAuthModule (yamcs-core < 5.12.7) enables horizontal privilege escalation for authenticated low-privilege users. By submitting a wildcard character as the username alongside a single known valid LDAP password, an attacker causes the unescaped LDAP search filter to match the first user returned by the directory query, effectively authenticating as that account. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

CVE-2026-42568 vulnerability details – vuln.today

Back

Yamcs CVE-2026-42568

CVSS VectorNVD

Lifecycle Timeline

Blast Radius

DescriptionNVD

Summary

Root Cause

Impact

Proof of Concept

Fix

AnalysisAI

Full analysis requires sign-in

Share

External POC / Exploit Code