Exploit for CVE-2026-42568

CVE-2026-42568 — YAMCS LDAP Injection in LdapAuthModule Su...

Security Bulletin: Vault Terraform Provider Incorrect Defaults for LDAP Auth Method, Resulting in Insecure Configuration and Potential Authentication Bypass

Summary Vault’s Terraform Provider incorrectly set the default denynullbind parameter for the LDAP auth method to false by default. If the underlying LDAP server allowed anonymous or unauthenticated binds, this could result in authentication bypass. This vulnerability, CVE-2025-13357, is fixed in...

@backstage/plugin-auth-backend (>=0.0.0-nightly-20240122021809 <=0.22.11), @backstage/plugin-auth-backend-module-aws-alb-provider (>=0.0.0-nightly-20240126021148 <=0.4.14-next.1) +7 more potentially affected by CVE-2026-32235 via @backstage/plugin-auth-backend (>=0.0.0-nightly-20240929023448 <=0.27.1-next.2)

@backstage/plugin-auth-backend NPM version =0.0.0-nightly-20240929023448, =0.0.0-nightly-20240122021809, =0.0.0-nightly-20240126021148, =0.0.0-nightly-20240122021809, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =1.0.0, =1.2.0 -...

@backstage/plugin-auth-backend (>=0.0.0-nightly-20240122021809 <=0.22.11), @backstage/plugin-auth-backend-module-aws-alb-provider (>=0.0.0-nightly-20240126021148 <=0.4.14-next.1) +7 more potentially affected by CVE-2026-32235 via @backstage/plugin-auth-backend (>=0.0.0-nightly-20240929023448 <=0.27.1-next.2)

@backstage/plugin-auth-backend NPM version =0.0.0-nightly-20240929023448, =0.0.0-nightly-20240122021809, =0.0.0-nightly-20240126021148, =0.0.0-nightly-20240122021809, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =0.0.0-nightly-2022122206, =1.0.0, =1.2.0 -...

EUVD-2024-0419

Malicious code in bioql PyPI...

Linux Distros Unpatched Vulnerability : CVE-2020-14869

The Linux/Unix host has one or more packages installed that are impacted by a vulnerability without a vendor supplied patch available. - Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Security: LDAP Auth. Supported versions that are affected are 5.7.31 and prior and...

HashiCorp Vault ldap auth method may not have correctly enforced MFA

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

CVE-2025-6013

Vault and Vault Enterprise’s “Vault” ldap auth method may not have correctly enforced MFA if usernameasalias was set to true and a user had multiple CNs that are equal but with leading or trailing spaces. Fixed in Vault Community Edition 1.20.2 and Vault Enterprise 1.20.2, 1.19.8, 1.18.13, and...

GHSA-RPGP-9HMG-J25X Enumeration of users in HashiCorp Vault

HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1...

Enumeration of users in HashiCorp Vault

HashiCorp Vault and Vault Enterprise allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1...

Oracle Linux 5 : dovecot (ELSA-2008-0297)

The remote Oracle Linux 5 host has a package installed that is affected by multiple vulnerabilities as referenced in the ELSA-2008-0297 advisory. - LDAP+auth cache user login mixup CVE-2007-6598, 427575 - insecure mailextragroups option CVE-2008-1199, 436927 - update to latest upstream, fixes a f...

CVE-2023-3462

A flaw was found in the HashiCorp Vault. The Vault and Vault Enterprise “Vault” LDAP auth method allows unauthenticated users to potentially enumerate valid accounts in the configured LDAP system by observing the response error when querying usernames...

CVE-2023-3462 Vault's LDAP Auth Method Allows for User Enumeration

HashiCorp's Vault and Vault Enterprise are vulnerable to user enumeration when using the LDAP auth method. An attacker may submit requests of existent and non-existent LDAP users and observe the response from Vault to check if the account is valid on the LDAP server. This vulnerability is fixed i...

K11455641: NGINX LDAP Reference Implementation security exposure

Security Advisory Description NGINX LDAP reference implementation configuration can be modified by sending crafted HTTP requests. Note : nginx-ldap-auth is not an NGINX Product. It is published as a reference implementation of LDAP and describes the mechanics of how the integration works and all ...

Malicious code in nestjs-ldap-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d65363e22ae6934a381048355dec14bb6b668cfc1d21b311be5ed9d15cd12bf2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

MAL-2022-4801 Malicious code in nestjs-ldap-auth (npm)

--- -= Per source details. Do not edit below this line.=- Source: ghsa-malware d65363e22ae6934a381048355dec14bb6b668cfc1d21b311be5ed9d15cd12bf2 Any computer that has this package installed or running should be considered fully compromised. All secrets and keys stored on that computer should be...

Information Disclosure

github.com/hashicorp/vault is vulnerable to information disclosure. The vulnerability is possible because the error messages returned by the LDAP auth methold allows user enumeration...

CVE-2020-35177

HashiCorp Vault and Vault Enterprise 1.4.1 and newer allowed the enumeration of users via the LDAP auth method. Fixed in 1.5.6 and 1.6.1...

CVE-2020-14878

Vulnerability in the MySQL Server product of Oracle MySQL component: Server: Security: LDAP Auth. Supported versions that are affected are 8.0.21 and prior. Easily exploitable vulnerability allows low privileged attacker with access to the physical communication segment attached to the hardware...

MySQL 8.0.x < 8.0.22 Multiple Vulnerabilities (Oct 2020 CPU)

The version of MySQL running on the remote host is 8.0.x prior to 8.0.22. It is, therefore, affected by multiple vulnerabilities, including the following, as noted in the October 2020 Critical Patch Update advisory: - Vulnerability in the MySQL Server product of Oracle MySQL component: Server:...