CVE-2026-42568
Received Received - Intake
LDAP Injection in Yamcs Framework

Publication date: 2026-06-10

Last updated on: 2026-06-10

Assigner: GitHub, Inc.

Description
Yamcs is a mission control framework. Prior to versions 5.13.0 and 5.12.7, an LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule` when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping. Versions 5.13.0 and 5.12.7 patch the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-10
Last Modified
2026-06-10
Generated
2026-06-11
AI Q&A
2026-06-11
EPSS Evaluated
N/A
NVD
CVE-2026-42568
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
yamcs yamcs to 5.12.7|end_excluding=5.13.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-90 The product constructs all or part of an LDAP query using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended LDAP query when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is an LDAP injection issue found in the Yamcs mission control framework, specifically in the LdapAuthModule component. Before versions 5.13.0 and 5.12.7, the username parameter was directly inserted into LDAP search filters without proper escaping according to RFC 4515. This improper handling allows an attacker to manipulate the LDAP query by injecting malicious input.

Impact Analysis

The LDAP injection vulnerability can allow an attacker with some level of privileges to manipulate LDAP queries, potentially bypassing authentication controls or accessing unauthorized information. The CVSS score of 4.3 indicates a low to medium severity impact, primarily affecting confidentiality but not integrity or availability.

Mitigation Strategies

To mitigate this LDAP injection vulnerability in Yamcs, you should upgrade to versions 5.13.0 or 5.12.7, where the issue has been patched.

Compliance Impact

The vulnerability is an LDAP injection in Yamcs versions prior to 5.13.0 and 5.12.7, which allows improper handling of the username parameter in LDAP search filters.

This vulnerability could potentially lead to unauthorized access or information disclosure through LDAP queries, which may impact the confidentiality of user data.

Since GDPR and HIPAA require protection of personal and sensitive data, exploitation of this vulnerability might result in non-compliance due to possible data exposure or unauthorized access.

However, the CVE description does not explicitly mention compliance impacts or regulatory considerations.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-42568. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart