Skip to main content

Yamcs CVE-2026-42568

MEDIUM
LDAP Injection (CWE-90)
2026-05-26 https://github.com/yamcs/yamcs GHSA-cqh3-jg8p-336j
4.3
CVSS 3.1 · Vendor: https://github.com/yamcs/yamcs
Share

Severity by source

Vendor (https://github.com/yamcs/yamcs) PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N

Primary rating from Vendor (https://github.com/yamcs/yamcs) · only source for this CVE.

CVSS VectorVendor: https://github.com/yamcs/yamcs

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 27, 2026 - 00:04 vuln.today
Analysis Generated
May 27, 2026 - 00:04 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.yamcs:yamcs-core (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.12.7.

DescriptionCVE.org

Summary

An LDAP injection vulnerability exists in org.yamcs.security.LdapAuthModule when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping.

Root Cause

File: yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java:233

The username parameter is inserted directly into an LDAP search filter without RFC 4515 escaping:

java
// VULNERABLE
var filter = userFilter.replace("{0}", username);
var searchResult = getSingleResult(ctx, userBase, filter, controls);

LDAP wildcard characters (*, (, )) are accepted without sanitization.

Impact

With a known valid password, username=* authenticates as the first user returned by the LDAP search - enabling horizontal privilege escalation between accounts sharing similar passwords or when the attacker knows one valid password.

This affects deployments that use org.yamcs.security.LdapAuthModule in their etc/security.yaml configuration file.

Proof of Concept

bash
curl -X POST "http://TARGET:8090/auth/token" \
  -d "grant_type=password&username=*&password=known_password"
# Returns token for first matching LDAP user

Fix

Apply RFC 4515 escaping before filter construction:

java
private static String escapeLdapFilter(String input) {
    return input
        .replace("\\", "\\5c")
        .replace("*",  "\\2a")
        .replace("(",  "\\28")
        .replace(")",  "\\29")
        .replace("\0", "\\00");
}
var filter = userFilter.replace("{0}", escapeLdapFilter(username));

AnalysisAI

LDAP injection in Yamcs LdapAuthModule (yamcs-core < 5.12.7) enables horizontal privilege escalation for authenticated low-privilege users. By submitting a wildcard character as the username alongside a single known valid LDAP password, an attacker causes the unescaped LDAP search filter to match the first user returned by the directory query, effectively authenticating as that account. A proof-of-concept exploit is publicly available in the GitHub advisory; no CISA KEV listing exists, but the low attack complexity and published PoC make this a credible threat for any Yamcs deployment using LDAP authentication.

Technical ContextAI

Yamcs (Yet Another Mission Control System) is a Java-based spacecraft operations framework; the affected component is the Maven artifact org.yamcs:yamcs-core. The vulnerability is rooted in CWE-90 (Improper Neutralization of Special Elements in an LDAP Query). In LdapAuthModule.java at line 233, the username parameter is interpolated directly into an LDAP search filter string via a simple string replace - userFilter.replace("{0}", username) - without applying RFC 4515 escape sequences for special characters such as *, (, ), \, and \0. Because LDAP wildcard semantics are preserved, a submitted username of * expands the filter to match all directory entries, and the code returns the first result. The fix requires pre-processing input through an RFC 4515-compliant escape function before filter construction, as documented in the advisory.

RemediationAI

Vendor-released patch: yamcs-core 5.12.7 (and 5.13.0). Upgrade the org.yamcs:yamcs-core Maven dependency to version 5.12.7 or 5.13.0 immediately; release notes for 5.12.7 confirm security updates are included (https://github.com/yamcs/yamcs/releases/tag/yamcs-5.12.7). If immediate upgrade is not feasible, the primary compensating control is to disable the LdapAuthModule entirely by removing or replacing the org.yamcs.security.LdapAuthModule entry in etc/security.yaml with an alternative authentication provider - this eliminates the attack surface entirely but requires an alternative identity store. A secondary control is to restrict network access to the Yamcs auth endpoint (default port 8090) to trusted networks only, limiting the pool of potential attackers to those already inside the perimeter; this does not eliminate the vulnerability but raises the bar for exploitation. Blocking wildcard-containing usernames at a reverse proxy or WAF layer (e.g., rejecting requests where the username field contains *, (, or )) is a viable short-term filter, though WAF bypass risks apply. No side effects are expected from the upstream patch as it only adds RFC 4515 escaping to the filter-construction code path.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-42568 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy