YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI

2.4 / 10

LOW

CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

Description

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

Basic Information

ID CVE-2026-1966

Source Yugabyte

Published Feb 5, 2026 at 11:38

Affected Product

Vendor YugabyteDB Inc

Product YugabyteDB Anywhere

Version 2025.1.0.0

Affected Versions YugabyteDB Inc YugabyteDB Anywhere 2025.1.0.0
YugabyteDB Inc YugabyteDB Anywhere 2024.2.0.0

CWE Classification

CWE-522

References

docs.yugabyte.com /stable/secure/vulnerability-disclosure-policy/

{
    "lastseen": "",
    "description": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.",
    "published": "2026-02-05T11:38:28.291Z",
    "modified": "2026-02-05T11:38:28.291Z",
    "type": "cve",
    "title": "YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI",
    "source": "Yugabyte",
    "references": "https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/",
    "id": "CVE-2026-1966",
    "bulletinFamily": "",
    "cwe": [
        "CWE-522"
    ],
    "cvelist": null,
    "sourceData": "YugabyteDB Inc YugabyteDB Anywhere 2025.1.0.0\nYugabyteDB Inc YugabyteDB Anywhere 2024.2.0.0",
    "sourceHref": "",
    "cvss": {
        "score": 2.4,
        "severity": "LOW",
        "vector": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "YugabyteDB Anywhere",
    "version": "2025.1.0.0",
    "vendor": "YugabyteDB Inc",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI_CVE-2026-1966