CVE-2026-55548
Awaiting Analysis Awaiting Analysis - Queue

Privilege Escalation in Yamcs Telemetry Export

Vulnerability report for CVE-2026-55548, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Yamcs is a mission control framework. Prior to 5.12.8 and 5.13.2, the PacketsApi.exportPackets endpoint in yamcs-core/src/main/java/org/yamcs/http/api/PacketsApi.java failed to enforce object-level ReadPacket privileges when a request omitted specific packet names: with an empty name list the ctx.checkObjectPrivileges(ObjectPrivilegeType.ReadPacket, nameSet) call passed over an empty set, no WHERE pname IN filter was applied to the resulting SELECT * FROM tm query, and the onTuple handler streamed every retrieved packet without any per-row authorization check, so a low-privileged or zero-privilege authenticated user could dump the entire raw telemetry packet archive and bypass the role-based access control model. This issue is fixed in versions 5.12.8 and 5.13.2, which enforce per-packet ReadPacket checks in exportPackets.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
yamcs yamcs 5.12.8
yamcs yamcs 5.13.2
yamcs yamcs to 5.12.8|start_including=5.13.0 (exc)
yamcs yamcs to 5.13.2 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-284 The product does not restrict or incorrectly restricts access to a resource from an unauthorized actor.
CWE-862 The product does not perform an authorization check when an actor attempts to access a resource or perform an action.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability in Yamcs allows low-privileged users to access raw telemetry packet archives without proper authorization. The PacketsApi.exportPackets endpoint fails to enforce ReadPacket privileges when no specific packet names are requested, bypassing role-based access controls and allowing unauthorized data exposure.

Detection Guidance

Detecting this vulnerability requires checking if your Yamcs instance is running a vulnerable version (prior to 5.12.8 or 5.13.2). Verify the installed version by running commands like 'yamcs --version' or checking the package manager. Monitor logs for unauthorized access attempts to the PacketsApi.exportPackets endpoint.

Impact Analysis

If you use Yamcs versions before 5.12.8 or 5.13.2, an attacker with minimal access could dump your entire telemetry archive, exposing sensitive mission data. This could lead to data breaches, loss of proprietary information, or operational security risks depending on the telemetry content.

Compliance Impact

This vulnerability could violate data protection regulations like GDPR or HIPAA by enabling unauthorized access to sensitive data. Organizations using affected Yamcs versions may face compliance violations, legal penalties, or reputational damage due to uncontrolled data exposure.

Mitigation Strategies

Upgrade Yamcs to version 5.12.8 or 5.13.2 or later immediately. Apply strict access controls to the exportPackets endpoint and ensure all users have only the minimum required privileges. Review logs for any signs of exploitation and restrict network access to the Yamcs server.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-55548. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart