LDAP Injection Allows Auth Bypass in YAMCS yamcs‑core 5.12.7 (CVE‑2026‑42568)
What Happened — A flaw in YAMCS yamcs‑core ≤ 5.12.7’s LdapAuthModule fails to escape the LDAP filter string, enabling an attacker to inject arbitrary LDAP queries. By supplying a crafted username (e.g., )(uid=))(|(uid=*), the filter becomes a universal match, granting unauthenticated access and a valid JWT token.
Why It Matters for TPRM —
- Authentication bypass can expose mission‑critical telemetry and command data.
- Exploitation may lead to lateral movement within downstream services that rely on YAMCS for identity.
- Third‑party SaaS platforms that embed YAMCS become a direct attack surface.
Who Is Affected — Aerospace & defense contractors, satellite operators, research labs, and any organization using YAMCS as a telemetry/command system (TECH_SAAS / API_PROVIDER).
Recommended Actions —
- Verify YAMCS version; upgrade to 5.12.7 or later.
- Review LDAP configuration; enforce RFC 4515 escaping or switch to alternative auth modules.
- Conduct penetration testing of LDAP‑bound endpoints and monitor for anomalous token issuance.
Technical Notes — The vulnerability (CVE‑2026‑42568) is a Remote Auth Bypass via LDAP injection. No CVE‑based patch existed before the advisory; the fix is to upgrade the core library. Exploited by sending a POST to /auth/token with malicious username. Affected data includes authentication tokens and any data accessible to the compromised account. Source: https://www.exploit-db.com/exploits/52603