ex-cal1bur/CVE-2026-44596

GitHub: ex-cal1bur/CVE-2026-44596

Stars: 0 | Forks: 0

# CVE-2026-44596 — YAMCS No Rate Limiting on Authentication Endpoint ## Summary The authentication endpoint `POST /auth/token` in `yamcs-core` lacks any form of rate limiting, account lockout, or failed attempt throttling. An unauthenticated remote attacker can perform unlimited password guessing attempts against any user account. | Field | Value | |-------|-------| | **CVE** | CVE-2026-44596 | | **Severity** | MEDIUM (CVSS 5.3) | | **CWE** | CWE-307: Improper Restriction of Excessive Authentication Attempts | | **Affected** | yamcs-core < 5.12.7 | | **Fixed in** | yamcs-core 5.12.7 | | **Advisory** | [GHSA-w5r6-mcgq-7pq4](https://github.com/yamcs/yamcs/security/advisories/GHSA-w5r6-mcgq-7pq4) | ## Vulnerability Details `POST /auth/token` accepts `grant_type=password` requests without any throttling mechanism. The endpoint returns HTTP 401 for invalid credentials indefinitely — never HTTP 429 — allowing automated brute-force at full network speed. ## Proof of Concept # Usage: ./poc.sh [target] [username] [attempts] chmod +x poc.sh ./poc.sh http://localhost:8090 operator 20 Expected output on vulnerable instance: Attempt 1: HTTP 401 Attempt 2: HTTP 401 ... Attempt 20: HTTP 401 [!!!] VULNERABLE: 20 attempts completed, no rate limiting ## Impact An unauthenticated attacker with network access to the YAMCS server can brute-force user credentials without restriction, limited only by network bandwidth. YAMCS is used as mission control software in space missions including ESA's OPS-SAT and other ground station deployments. ## Fix Upgrade to `yamcs-core >= 5.12.7`. ## Timeline | Date | Event | |------|-------| | 2026-05 | Vulnerability reported | | 2026-05-27 | Fix released in yamcs-core 5.12.7 | | 2026-05-27 | Public advisory published | ## Researcher **Daniel Miranda Barcelona (Excal1bur)** - GitHub: [https://github.com/ex-cal1bur](https://github.com/ex-cal1bur) - LinkedIn: [https://linkedin.com/in/daniel-miranda-barcelona](https://linkedin.com/in/daniel-miranda-barcelona) - Blog: [https://thedumpster.es](https://thedumpster.es)