CVE-2026-42568
Yamcs Vulnerable to LDAP Injection in LdapAuthModule
Description
### Summary An LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping. ### Root Cause **File:** `yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java:233` The `username` parameter is inserted directly into an LDAP search filter without RFC 4515 escaping: ```java // VULNERABLE var filter = userFilter.replace("{0}", username); var searchResult = getSingleResult(ctx, userBase, filter, controls); ``` LDAP wildcard characters (`*`, `(`, `)`) are accepted without sanitization. ### Impact With a known valid password, `username=*` authenticates as the first user returned by the LDAP search — enabling horizontal privilege escalation between accounts sharing similar passwords or when the attacker knows one valid password. This affects deployments that use `org.yamcs.security.LdapAuthModule` in their `etc/security.yaml` configuration file. ### Proof of Concept ```bash curl -X POST "http://TARGET:8090/auth/token" \ -d "grant_type=password&username=*&password=known_password" # Returns token for first matching LDAP user ``` ### Fix Apply RFC 4515 escaping before filter construction: ```java private static String escapeLdapFilter(String input) { return input .replace("\\", "\\5c") .replace("*", "\\2a") .replace("(", "\\28") .replace(")", "\\29") .replace("\0", "\\00"); } var filter = userFilter.replace("{0}", escapeLdapFilter(username)); ```
How to fix CVE-2026-42568
To remediate CVE-2026-42568, upgrade the affected package to a fixed version below.
- —upgrade to 5.12.7 or later
Is CVE-2026-42568 being exploited?
No exploitation signal available. Neither CISA KEV nor a current EPSS score has been published for CVE-2026-42568.