Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Primary rating from Vendor (https://github.com/yamcs/yamcs) · only source for this CVE.
CVSS VectorVendor: https://github.com/yamcs/yamcs
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N
Lifecycle Timeline
2Blast Radius
ecosystem impact- 6 maven packages depend on org.yamcs:yamcs-core (6 direct, 0 indirect)
Ecosystem-wide dependent count for version 5.12.7.
DescriptionCVE.org
Summary
The authentication endpoint POST /auth/token in yamcs-core lacks any form of rate limiting, account lockout, or failed attempt throttling. As a result, an unauthenticated remote attacker can perform unlimited password guessing attempts against any user account.
This missing rate limiting vulnerability (CWE-307) significantly increases the risk of successful brute-force attacks.
Root Cause
File: yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java
POST /auth/token has no rate limiting, no lockout after failed attempts, and no CAPTCHA. The handler processes unlimited authentication requests without any throttling mechanism:
// AuthHandler.java - handleToken()
// No throttle, no failed attempt counter, no lockout
private void handleToken(HandlerContext ctx) {
...
getSecurityStore().login(token).whenComplete((info, err) -> {
// Directly attempts authentication with no rate check
});
}This is absent by default - the official quickstart and documentation contain no guidance on configuring rate limiting.
Impact
An attacker can make unlimited authentication attempts against any account. This enables efficient brute-force attacks against any account.
Proof of Concept
# 20 attempts - zero rate limiting
for i in $(seq 1 20); do
curl -s -o /dev/null -w "Attempt $i: HTTP %{http_code}\n" \
-X POST "http://TARGET:8090/auth/token" \
-d "grant_type=password&username=operator&password=operator12$i"
done
# All return HTTP 401 - no HTTP 429 everConfirmed: 20 attempts in 0.07 seconds, no rate limiting enforced.
Fix
Implement DRF-style throttling on /auth/token:
// Track failed attempts per IP
private static final Cache<String, Integer> FAILED_ATTEMPTS =
CacheBuilder.newBuilder().expireAfterWrite(15, TimeUnit.MINUTES).build();
private static final int MAX_ATTEMPTS = 10;
private void handleToken(HandlerContext ctx) {
String ip = ctx.getRemoteAddress();
int attempts = Optional.ofNullable(FAILED_ATTEMPTS.getIfPresent(ip)).orElse(0);
if (attempts >= MAX_ATTEMPTS) {
throw new TooManyRequestsException("Rate limit exceeded");
}
// ... existing auth logic
// On failure: FAILED_ATTEMPTS.put(ip, attempts + 1)
}AnalysisAI
Unlimited credential brute-forcing is possible against Yamcs (yamcs-core < 5.12.7) because the POST /auth/token OAuth2 password-grant endpoint in AuthHandler.java enforces no rate limiting, account lockout, or failed-attempt throttling by default. Unauthenticated remote attackers can submit unlimited password guesses at machine speed - a publicly available proof-of-concept included in the advisory demonstrates 20 attempts completing in 0.07 seconds with zero HTTP 429 responses. CVSS signals AV:N/AC:L/PR:N/UI:N confirm this is trivially exploitable against any network-reachable Yamcs instance with no special prerequisites; in mission control contexts, a compromised account carries operational risk well beyond what the medium CVSS score alone conveys.
Technical ContextAI
Yamcs (Yet Another Mission Control System) is an open-source Java-based mission control framework used for spacecraft and satellite operations, distributed as the Maven artifact org.yamcs:yamcs-core. The vulnerable code resides in yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java - specifically the handleToken() method, which processes OAuth2 password-grant POST requests to the /auth/token endpoint (default port 8090). The method directly invokes getSecurityStore().login() without any preceding throttle check, per-IP failed-attempt counter, or account lockout mechanism. Because the handler maintains no inter-request state, each authentication attempt is treated as an independent event. The root cause is CWE-307 (Improper Restriction of Excessive Authentication Attempts): the server never transitions a client or account into a locked or throttled state regardless of failure volume. The official Yamcs quickstart documentation provides no guidance on deploying external rate-limiting compensating controls, meaning all default installations are exposed.
RemediationAI
Upgrade yamcs-core to version 5.12.7 or later - this is the vendor-released patch confirmed by GitHub Security Advisory GHSA-w5r6-mcgq-7pq4 (https://github.com/yamcs/yamcs/security/advisories/GHSA-w5r6-mcgq-7pq4). For Maven projects, update pom.xml to org.yamcs:yamcs-core:5.12.7. If immediate upgrade is not feasible, deploy an external reverse proxy (e.g., nginx using limit_req_zone, or a WAF rule) in front of Yamcs port 8090 to enforce per-IP rate limiting on POST /auth/token; note this adds infrastructure complexity and does not protect against direct TCP access if port 8090 remains separately reachable. Restricting network access to port 8090 via firewall rules to trusted IP ranges is the highest-value compensating control available pre-patch, as it eliminates external attacker reachability entirely, though it does not mitigate insider or compromised-network-segment attacks. Enforcing strong, unique passwords for all Yamcs accounts increases the time cost of brute-force but does not prevent it - do not treat this as a substitute for the patch.
Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m
Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti
Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent
Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug
JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up
Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up
The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers
Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow
Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla
The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-44956
GHSA-w5r6-mcgq-7pq4