HomeIntelligenceBrief
VULNERABILITY BRIEF🟠 High Vulnerability

YAMCS yamcs-core <5.12.7 Vulnerable to User Enumeration via IAM API (CVE‑2026‑44595)

A remote information‑disclosure vulnerability (CVE‑2026‑44595) in YAMCS yamcs‑core versions before 5.12.7 lets any authenticated user enumerate all accounts, super‑user flags and group memberships through the IAM API. Third‑party risk managers should treat this as a high‑severity supply‑chain issue and ensure affected vendors patch immediately.

LiveThreat™ Intelligence · 📅 June 02, 2026· 📰 exploit-db.com
🟠
Severity
High
VU
Type
Vulnerability
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
4 recommended
📰
Source
exploit-db.com

YAMCS yamcs‑core < 5.12.7 Vulnerable to User Enumeration via IAM API (CVE‑2026‑44595)

What Happened – A remote information‑disclosure flaw (CVE‑2026‑44595) in YAMCS yamcs‑core versions prior to 5.12.7 allows any authenticated user to call IAM endpoints (/api/iam/users, /api/iam/groups, etc.) and retrieve the full list of accounts, their super‑user status and group memberships. The vulnerability stems from missing enforcement of the SystemPrivilege.ControlAccess check.

Why It Matters for TPRM

  • Exposed user and group data can be leveraged for credential‑spraying or privilege‑escalation attacks against a third‑party service.
  • Supply‑chain risk increases when a vendor’s IAM controls are weak, potentially compromising downstream customers.
  • Regulatory compliance (e.g., GDPR, NIST) may be breached if personal data is disclosed without proper safeguards.

Who Is Affected – Aerospace & satellite operators, research institutions, and any organization that integrates YAMCS as a mission‑control SaaS platform (TECH_SAAS).

Recommended Actions

  • Upgrade to YAMCS yamcs‑core 5.12.7 or later immediately.
  • Review IAM role assignments and enforce least‑privilege principles.
  • Conduct penetration testing of API endpoints to confirm the fix.
  • Update third‑party risk registers to reflect the newly disclosed vulnerability.

Technical Notes – The flaw is a misconfiguration in the IAM API: the SystemPrivilege.ControlAccess permission is not validated, allowing enumeration via GET /api/iam/users, GET /api/iam/users/{name}, GET /api/iam/groups, and GET /api/iam/groups/{name}. No CVE‑specific exploit code is required beyond a valid low‑privilege token. Source: https://www.exploit-db.com/exploits/52604

📰 Original Source
https://www.exploit-db.com/exploits/52604

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · PrivacyOps · CookiePLUS

Data exposure is where consent and DSAR readiness get tested.

When personal data leaks, regulators ask what consent you held and how fast you can answer a subject request. The Verisq AI Trust Operations platform, with CookiePLUS, keeps that posture audit-ready under GDPR and CCPA.

Explore the Verisq AI Trust Operations platform →