CVE-2026-44595 in Yamcs
Summary
by MITRE • 07/16/2026
Yamcs is a mission control framework. Prior to 5.12.7, the IAM API endpoints listUsers, getUser, listGroups, and getGroup in yamcs-core did not enforce the required SystemPrivilege.ControlAccess check in yamcs-core/src/main/java/org/yamcs/http/api/IamApi.java, so any authenticated user, even one with low or no privileges, could enumerate all user accounts in the system including their usernames, superuser status, and group memberships. This issue is fixed in versions 5.12.7 and 5.13.0.
If you want to get best quality of vulnerability data, you may have to visit VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability described affects Yamcs, a comprehensive mission control framework widely used in aerospace and space applications for ground system operations. This security flaw exists in versions prior to 5.12.7 where the Identity and Access Management (IAM) API endpoints lack proper authorization controls. The affected endpoints include listUsers, getUser, listGroups, and getGroup within the yamcs-core component, specifically implemented in the file yamcs-core/src/main/java/org/yamcs/http/api/IamApi.java.
The technical flaw represents a critical authorization bypass vulnerability that allows any authenticated user to perform unauthorized enumeration of system users and groups. This occurs because the IAM API endpoints fail to validate whether the requesting user possesses the necessary SystemPrivilege.ControlAccess privilege before processing these enumeration requests. The absence of proper access control validation creates an information disclosure vulnerability where low-privilege or even unprivileged authenticated users can discover comprehensive details about all accounts within the system, including usernames, superuser status indicators, and group membership information.
The operational impact of this vulnerability is significant for organizations using Yamcs in mission-critical environments where security and access control are paramount. An attacker who gains access to any valid user account, even with minimal privileges, can leverage this vulnerability to map the entire user landscape of the system. This reconnaissance capability enables more sophisticated attacks including targeted credential harvesting, social engineering campaigns based on discovered user roles and permissions, and planning subsequent exploitation attempts. The vulnerability essentially provides a complete view of the system's access control structure to unauthorized parties.
This issue aligns with CWE-284 (Improper Access Control) and represents a classic case of insufficient authorization checking in API endpoints. From an MITRE ATT&CK framework perspective, this vulnerability maps to T1078 (Valid Accounts) and T1566 (Phishing) as it enables attackers to discover valid accounts and their associated privileges, facilitating further compromise. The vulnerability also relates to T1087 (Account Discovery) through the enumeration capabilities it provides. Organizations using Yamcs should immediately upgrade to versions 5.12.7 or 5.13.0 where the required privilege checks have been implemented to ensure proper authorization enforcement for these IAM API endpoints.
The fix implemented in versions 5.12.7 and 5.13.0 addresses the root cause by enforcing the SystemPrivilege.ControlAccess check before allowing access to user enumeration functions. This ensures that only users with appropriate administrative privileges can view user accounts, groups, and associated permissions. The mitigation strategy involves proper privilege validation at the API level, maintaining least-privilege principles, and implementing comprehensive access control policies throughout the system. Organizations should conduct security audits to verify that all IAM endpoints properly enforce required privileges and consider additional monitoring for unauthorized enumeration attempts.