Vulnerability DatabaseCVE-2026-44596
Mend.io Vulnerability Database
The largest open source vulnerability database
What is a Vulnerability ID?
New vulnerability? Tell us about it!
CVE-2026-44596
Published:May 27, 2026
Updated:June 13, 2026
Summary The authentication endpoint "POST /auth/token" in "yamcs-core" lacks any form of rate limiting, account lockout, or failed attempt throttling. As a result, an unauthenticated remote attacker can perform unlimited password guessing attempts against any user account. This missing rate limiting vulnerability (CWE-307) significantly increases the risk of successful brute-force attacks. Root Cause File: "yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java" "POST /auth/token" has no rate limiting, no lockout after failed attempts, and no CAPTCHA. The handler processes unlimited authentication requests without any throttling mechanism: // AuthHandler.java — handleToken() // No throttle, no failed attempt counter, no lockout private void handleToken(HandlerContext ctx) { ... getSecurityStore().login(token).whenComplete((info, err) -> { // Directly attempts authentication with no rate check }); } This is absent by default — the official quickstart and documentation contain no guidance on configuring rate limiting. Impact An attacker can make unlimited authentication attempts against any account. This enables efficient brute-force attacks against any account. Proof of Concept 20 attempts — zero rate limiting for i in $(seq 1 20); do curl -s -o /dev/null -w "Attempt $i: HTTP %{http_code}\n" -X POST "http://TARGET:8090/auth/token" -d "grant_type=password&username=operator&password=operator12$i" done All return HTTP 401 — no HTTP 429 ever Confirmed: 20 attempts in 0.07 seconds, no rate limiting enforced. Fix Implement DRF-style throttling on "/auth/token": // Track failed attempts per IP private static final Cache<String, Integer> FAILED_ATTEMPTS = CacheBuilder.newBuilder().expireAfterWrite(15, TimeUnit.MINUTES).build(); private static final int MAX_ATTEMPTS = 10; private void handleToken(HandlerContext ctx) { String ip = ctx.getRemoteAddress(); int attempts = Optional.ofNullable(FAILED_ATTEMPTS.getIfPresent(ip)).orElse(0); if (attempts >= MAX_ATTEMPTS) { throw new TooManyRequestsException("Rate limit exceeded"); } // ... existing auth logic // On failure: FAILED_ATTEMPTS.put(ip, attempts + 1) }
Affected Packages
https://github.com/yamcs/yamcs.git (GITHUB):
Affected version(s) >=yamcs-0.30.0 <yamcs-5.12.7
Fix Suggestion:
Update to version yamcs-5.12.7
org.yamcs:yamcs-core (JAVA):
Affected version(s) >=0.29.3 <5.12.7
Fix Suggestion:
Update to version 5.12.7
Related Resources (2)
https://github.com/yamcs/yamcs
https://github.com/yamcs/yamcs/security/advisories/GHSA-w5r6-mcgq-7pq4
Do you need more information?
Contact Us
CVSS v4
Base Score:
6.9
Attack Vector
NETWORK
Attack Complexity
LOW
Attack Requirements
NONE
Privileges Required
NONE
User Interaction
NONE
Vulnerable System Confidentiality
LOW
Vulnerable System Integrity
LOW
Vulnerable System Availability
NONE
Subsequent System Confidentiality
NONE
Subsequent System Integrity
NONE
Subsequent System Availability
NONE
CVSS v3
Base Score:
6.5
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality
LOW
Integrity
LOW
Availability
NONE
Weakness Type (CWE)
Improper Restriction of Excessive Authentication Attempts
CWE-307
EPSS
Base Score:
0.05