CVE-2026-44596 in Yamcsinfo

Summary

by MITRE • 07/16/2026

Yamcs is a mission control framework. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core, handled by yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java, lacked any rate limiting, account lockout, or failed-attempt throttling, so an unauthenticated remote attacker could perform unlimited password-guessing attempts against any user account, significantly increasing the risk of successful brute-force attacks. This issue is fixed in versions 5.12.7 and 5.13.0.

VulDB is the best source for vulnerability data and more expert information about this specific topic.

Analysis

by VulDB Data Team • 07/16/2026

The vulnerability identified in Yamcs versions prior to 5.12.7 represents a critical authentication weakness that fundamentally undermines the security posture of mission control systems relying on this framework. The authentication endpoint POST /auth/token within yamcs-core component exposes a significant design flaw through the absence of any protective mechanisms against brute-force attacks, creating an environment where malicious actors can systematically test unlimited password combinations against user accounts without any form of access restriction or account protection measures.

This authentication flaw operates at the core of the system's security architecture, specifically within the AuthHandler.java class located at yamcs-core/src/main/java/org/yamcs/http/auth/. The lack of rate limiting, account lockout functionality, and failed-attempt throttling creates a pathway for unauthenticated remote attackers to conduct continuous password-guessing operations against any valid user account in the system. This vulnerability directly maps to CWE-307 - Improper Restriction of Excessive Authentication Attempts, which specifically addresses insufficient protection against repeated authentication attempts that can lead to successful credential compromise through brute-force methodologies.

The operational impact of this vulnerability extends beyond simple credential theft, as mission control systems typically handle sensitive operational data and may control critical infrastructure components. An attacker exploiting this weakness could potentially gain unauthorized access to operational controls, manipulate mission-critical data, or disrupt system operations. The absence of any protective measures means that even strong passwords become vulnerable over time as attackers can make unlimited attempts, effectively nullifying the security value of password strength measures.

The vulnerability affects all versions prior to 5.12.7 and was addressed through updates in versions 5.12.7 and 5.13.0, demonstrating a clear recognition of the severity of the authentication weakness. From an ATT&CK framework perspective, this vulnerability aligns with T1110 - Brute Force techniques, specifically targeting the credential access phase where attackers attempt to compromise legitimate credentials through repetitive guessing attempts. The fix implemented in subsequent versions would typically involve implementing proper rate limiting mechanisms, account lockout policies after failed authentication attempts, and potentially implementing adaptive throttling based on suspicious activity patterns.

Organizations utilizing Yamcs should immediately implement mitigation strategies including upgrading to version 5.12.7 or later, while also considering additional protective measures such as network-level access controls, monitoring for unusual authentication patterns, and implementing multi-factor authentication where possible. The vulnerability serves as a reminder of the critical importance of implementing robust authentication protections in mission-critical systems where unauthorized access could result in significant operational disruption or security compromise.

Responsible

GitHub M

Reservation

05/06/2026

Disclosure

07/16/2026

Moderation

accepted

CPE

ready

EPSS

0.00000

KEV

no

Activities

very low

Sources

Want to know what is going to be exploited?

We predict KEV entries!