CVE-2026-10549
LDAP Filter Injection in Yandex Database
Publication date: 2026-06-02
Last updated on: 2026-06-02
Assigner: Yandex N.V.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| yandex | ydb | to 25.3.1.25 (exc) |
| yandex | ydb | 22.4.44 |
| yandex | ydb_go_sdk | 3.53.3 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-280 | The product does not handle or incorrectly handles when it has insufficient privileges to access resources or functionality as specified by their permissions. This may cause it to follow unexpected code paths that may leave the product in an invalid state. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-10549 is an LDAP filter injection vulnerability in Yandex Database versions prior to 25.3.1.25. It allows a remote attacker who has valid LDAP credentials to bypass group membership checks. This means the attacker can gain unauthorized access to the database by exploiting the way LDAP filters are handled.
How can this vulnerability impact me? :
This vulnerability can lead to unauthorized access to the database by attackers who have valid LDAP credentials. By bypassing group membership checks, attackers may access data or perform actions they should not be allowed to, potentially compromising the confidentiality and integrity of the database.