Skip to main content

Yamcs CVE-2026-44596

| EUVDEUVD-2026-44956 MEDIUM
Improper Restriction of Excessive Authentication Attempts (CWE-307)
2026-05-27 https://github.com/yamcs/yamcs GHSA-w5r6-mcgq-7pq4
6.5
CVSS 3.1 · Vendor: https://github.com/yamcs/yamcs
Share

Severity by source

Vendor (https://github.com/yamcs/yamcs) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Primary rating from Vendor (https://github.com/yamcs/yamcs) · only source for this CVE.

CVSS VectorVendor: https://github.com/yamcs/yamcs

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
Low
Availability
None

Lifecycle Timeline

2
Source Code Evidence Fetched
May 27, 2026 - 00:30 vuln.today
Analysis Generated
May 27, 2026 - 00:30 vuln.today

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.yamcs:yamcs-core (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.12.7.

DescriptionCVE.org

Summary

The authentication endpoint POST /auth/token in yamcs-core lacks any form of rate limiting, account lockout, or failed attempt throttling. As a result, an unauthenticated remote attacker can perform unlimited password guessing attempts against any user account.

This missing rate limiting vulnerability (CWE-307) significantly increases the risk of successful brute-force attacks.

Root Cause

File: yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java

POST /auth/token has no rate limiting, no lockout after failed attempts, and no CAPTCHA. The handler processes unlimited authentication requests without any throttling mechanism:

java
// AuthHandler.java - handleToken()
// No throttle, no failed attempt counter, no lockout
private void handleToken(HandlerContext ctx) {
    ...
    getSecurityStore().login(token).whenComplete((info, err) -> {
        // Directly attempts authentication with no rate check
    });
}

This is absent by default - the official quickstart and documentation contain no guidance on configuring rate limiting.

Impact

An attacker can make unlimited authentication attempts against any account. This enables efficient brute-force attacks against any account.

Proof of Concept

bash
# 20 attempts - zero rate limiting
for i in $(seq 1 20); do
  curl -s -o /dev/null -w "Attempt $i: HTTP %{http_code}\n" \
    -X POST "http://TARGET:8090/auth/token" \
    -d "grant_type=password&username=operator&password=operator12$i"
done
# All return HTTP 401 - no HTTP 429 ever

Confirmed: 20 attempts in 0.07 seconds, no rate limiting enforced.

Fix

Implement DRF-style throttling on /auth/token:

java
// Track failed attempts per IP
private static final Cache<String, Integer> FAILED_ATTEMPTS =
    CacheBuilder.newBuilder().expireAfterWrite(15, TimeUnit.MINUTES).build();

private static final int MAX_ATTEMPTS = 10;

private void handleToken(HandlerContext ctx) {
    String ip = ctx.getRemoteAddress();
    int attempts = Optional.ofNullable(FAILED_ATTEMPTS.getIfPresent(ip)).orElse(0);
    if (attempts >= MAX_ATTEMPTS) {
        throw new TooManyRequestsException("Rate limit exceeded");
    }
    // ... existing auth logic
    // On failure: FAILED_ATTEMPTS.put(ip, attempts + 1)
}

AnalysisAI

Unlimited credential brute-forcing is possible against Yamcs (yamcs-core < 5.12.7) because the POST /auth/token OAuth2 password-grant endpoint in AuthHandler.java enforces no rate limiting, account lockout, or failed-attempt throttling by default. Unauthenticated remote attackers can submit unlimited password guesses at machine speed - a publicly available proof-of-concept included in the advisory demonstrates 20 attempts completing in 0.07 seconds with zero HTTP 429 responses. CVSS signals AV:N/AC:L/PR:N/UI:N confirm this is trivially exploitable against any network-reachable Yamcs instance with no special prerequisites; in mission control contexts, a compromised account carries operational risk well beyond what the medium CVSS score alone conveys.

Technical ContextAI

Yamcs (Yet Another Mission Control System) is an open-source Java-based mission control framework used for spacecraft and satellite operations, distributed as the Maven artifact org.yamcs:yamcs-core. The vulnerable code resides in yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java - specifically the handleToken() method, which processes OAuth2 password-grant POST requests to the /auth/token endpoint (default port 8090). The method directly invokes getSecurityStore().login() without any preceding throttle check, per-IP failed-attempt counter, or account lockout mechanism. Because the handler maintains no inter-request state, each authentication attempt is treated as an independent event. The root cause is CWE-307 (Improper Restriction of Excessive Authentication Attempts): the server never transitions a client or account into a locked or throttled state regardless of failure volume. The official Yamcs quickstart documentation provides no guidance on deploying external rate-limiting compensating controls, meaning all default installations are exposed.

RemediationAI

Upgrade yamcs-core to version 5.12.7 or later - this is the vendor-released patch confirmed by GitHub Security Advisory GHSA-w5r6-mcgq-7pq4 (https://github.com/yamcs/yamcs/security/advisories/GHSA-w5r6-mcgq-7pq4). For Maven projects, update pom.xml to org.yamcs:yamcs-core:5.12.7. If immediate upgrade is not feasible, deploy an external reverse proxy (e.g., nginx using limit_req_zone, or a WAF rule) in front of Yamcs port 8090 to enforce per-IP rate limiting on POST /auth/token; note this adds infrastructure complexity and does not protect against direct TCP access if port 8090 remains separately reachable. Restricting network access to port 8090 via firewall rules to trusted IP ranges is the highest-value compensating control available pre-patch, as it eliminates external attacker reachability entirely, though it does not mitigate insider or compromised-network-segment attacks. Enforcing strong, unique passwords for all Yamcs accounts increases the time cost of brute-force but does not prevent it - do not treat this as a substitute for the patch.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-44596 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy