CVE-2026-50889
Undergoing Analysis Undergoing Analysis - In Progress

Denial of Service in LLDAP via Malformed Refresh Token

Vulnerability report for CVE-2026-50889, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-06-15

Last updated on: 2026-06-16

Assigner: MITRE

Description

An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-06-15
Last Modified
2026-06-16
Generated
2026-07-06
AI Q&A
2026-06-15
EPSS Evaluated
2026-07-04
NVD
EUVD

Affected Vendors & Products

Currently, no data is known.

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-400 The product does not properly control the allocation and maintenance of a limited resource.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-50889 is a vulnerability in LLDAP version 0.6.2 related to how the application handles the HTTP refresh token header.

Specifically, when processing the refresh-token header in the /auth/refresh and /auth/logout endpoints, the function get_refresh_token() calls HeaderValue::to_str().unwrap(). This unwrap() call fails if the header contains non-ASCII bytes, causing the application to panic and crash the HTTP worker.

An attacker can exploit this by sending a crafted refresh-token header with non-ASCII data, such as byte 0xff, which triggers the crash.

Impact Analysis

This vulnerability allows a remote unauthenticated attacker to cause a Denial of Service (DoS) by crashing the HTTP worker of the LLDAP server.

Under the default single-worker configuration, repeated exploitation can keep the server's HTTP interface unavailable or unstable, disrupting service availability.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or instability in the LLDAP v0.6.2 HTTP service, especially related to the /auth/refresh and /auth/logout endpoints.

To detect exploitation attempts, you can capture and analyze HTTP requests that contain a refresh-token header with non-ASCII or malformed bytes.

A practical approach is to use network traffic inspection tools like tcpdump or Wireshark to filter HTTP requests to these endpoints and check for suspicious refresh-token headers.

  • Use tcpdump to capture HTTP traffic on port 80 or 443 (depending on your setup): tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Filter captured traffic for requests to /auth/refresh or /auth/logout and inspect the refresh-token header for non-ASCII bytes (e.g., 0xff).
  • Alternatively, use curl or similar tools to test the endpoints by sending crafted refresh-token headers with non-ASCII bytes and observe if the server crashes.
Mitigation Strategies

Immediate mitigation steps include restricting or filtering incoming HTTP requests to the /auth/refresh and /auth/logout endpoints to block requests with malformed or non-ASCII refresh-token headers.

If possible, configure a web application firewall (WAF) or reverse proxy to validate and sanitize the refresh-token header before it reaches the LLDAP server.

Consider increasing the number of HTTP workers or enabling worker isolation to reduce the impact of a single worker crash.

Monitor server logs and uptime closely to detect and respond quickly to any denial-of-service conditions caused by this vulnerability.

Apply any available patches or updates from the LLDAP project that address this input handling flaw as soon as they are released.

Compliance Impact

The provided information does not specify any direct impact of this vulnerability on compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart