YAMCS yamcs‑core < 5.12.7 Vulnerable to User Enumeration via IAM API (CVE‑2026‑44595)
What Happened – A remote information‑disclosure flaw (CVE‑2026‑44595) in YAMCS yamcs‑core versions prior to 5.12.7 allows any authenticated user to call IAM endpoints (/api/iam/users, /api/iam/groups, etc.) and retrieve the full list of accounts, their super‑user status and group memberships. The vulnerability stems from missing enforcement of the SystemPrivilege.ControlAccess check.
Why It Matters for TPRM –
- Exposed user and group data can be leveraged for credential‑spraying or privilege‑escalation attacks against a third‑party service.
- Supply‑chain risk increases when a vendor’s IAM controls are weak, potentially compromising downstream customers.
- Regulatory compliance (e.g., GDPR, NIST) may be breached if personal data is disclosed without proper safeguards.
Who Is Affected – Aerospace & satellite operators, research institutions, and any organization that integrates YAMCS as a mission‑control SaaS platform (TECH_SAAS).
Recommended Actions –
- Upgrade to YAMCS yamcs‑core 5.12.7 or later immediately.
- Review IAM role assignments and enforce least‑privilege principles.
- Conduct penetration testing of API endpoints to confirm the fix.
- Update third‑party risk registers to reflect the newly disclosed vulnerability.
Technical Notes – The flaw is a misconfiguration in the IAM API: the SystemPrivilege.ControlAccess permission is not validated, allowing enumeration via GET /api/iam/users, GET /api/iam/users/{name}, GET /api/iam/groups, and GET /api/iam/groups/{name}. No CVE‑specific exploit code is required beyond a valid low‑privilege token. Source: https://www.exploit-db.com/exploits/52604