CVE-2026-50889
Received Received - Intake
Denial of Service in LLDAP via Malformed Refresh Token

Publication date: 2026-06-15

Last updated on: 2026-06-15

Assigner: MITRE

Description
An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-15
Last Modified
2026-06-15
Generated
2026-06-16
AI Q&A
2026-06-15
EPSS Evaluated
N/A
NVD
CVE-2026-50889
EUVD
EUVD-2026-36787
Affected Vendors & Products
Currently, no data is known.
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-UNKNOWN
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-50889 is a vulnerability in LLDAP version 0.6.2 related to how the application handles the HTTP refresh token header.

Specifically, when processing the refresh-token header in the /auth/refresh and /auth/logout endpoints, the function get_refresh_token() calls HeaderValue::to_str().unwrap(). This unwrap() call fails if the header contains non-ASCII bytes, causing the application to panic and crash the HTTP worker.

An attacker can exploit this by sending a crafted refresh-token header with non-ASCII data, such as byte 0xff, which triggers the crash.

Impact Analysis

This vulnerability allows a remote unauthenticated attacker to cause a Denial of Service (DoS) by crashing the HTTP worker of the LLDAP server.

Under the default single-worker configuration, repeated exploitation can keep the server's HTTP interface unavailable or unstable, disrupting service availability.

Detection Guidance

This vulnerability can be detected by monitoring for crashes or instability in the LLDAP v0.6.2 HTTP service, especially related to the /auth/refresh and /auth/logout endpoints.

To detect exploitation attempts, you can capture and analyze HTTP requests that contain a refresh-token header with non-ASCII or malformed bytes.

A practical approach is to use network traffic inspection tools like tcpdump or Wireshark to filter HTTP requests to these endpoints and check for suspicious refresh-token headers.

  • Use tcpdump to capture HTTP traffic on port 80 or 443 (depending on your setup): tcpdump -i <interface> -A 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)'
  • Filter captured traffic for requests to /auth/refresh or /auth/logout and inspect the refresh-token header for non-ASCII bytes (e.g., 0xff).
  • Alternatively, use curl or similar tools to test the endpoints by sending crafted refresh-token headers with non-ASCII bytes and observe if the server crashes.
Mitigation Strategies

Immediate mitigation steps include restricting or filtering incoming HTTP requests to the /auth/refresh and /auth/logout endpoints to block requests with malformed or non-ASCII refresh-token headers.

If possible, configure a web application firewall (WAF) or reverse proxy to validate and sanitize the refresh-token header before it reaches the LLDAP server.

Consider increasing the number of HTTP workers or enabling worker isolation to reduce the impact of a single worker crash.

Monitor server logs and uptime closely to detect and respond quickly to any denial-of-service conditions caused by this vulnerability.

Apply any available patches or updates from the LLDAP project that address this input handling flaw as soon as they are released.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-50889. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart