Share
## https://sploitus.com/exploit?id=1296FEF5-CF82-534F-9672-F87D07FC7346
# CVE-2026-44595 โ€” YAMCS Unauthorized User Enumeration via IAM API

## Summary

The IAM API endpoints (`listUsers`, `getUser`, `listGroups`, `getGroup`) in `yamcs-core` do not enforce the required `SystemPrivilege.ControlAccess` check. Any authenticated user โ€” even one with no privileges โ€” can enumerate all user accounts, superuser status, and group memberships.

| Field | Value |
|-------|-------|
| **CVE** | CVE-2026-44595 |
| **Severity** | MEDIUM (CVSS 4.3) |
| **CWE** | CWE-862: Missing Authorization |
| **Affected** | yamcs-core  admin [SUPERUSER]
    -> operator [regular]
    -> testuser [regular]
```

## Impact

An attacker with any valid account can map the entire user structure of the YAMCS instance โ€” identifying superuser accounts for targeted attacks, enumerating operator accounts, and understanding group-based access controls.

## Fix

Upgrade to `yamcs-core >= 5.12.7`.

## Timeline

| Date | Event |
|------|-------|
| 2026-05 | Vulnerability reported |
| 2026-05-27 | Fix released in yamcs-core 5.12.7 |
| 2026-05-27 | Public advisory published |

## Researcher

**Daniel Miranda Barcelona (Excal1bur)**
- GitHub: [https://github.com/ex-cal1bur](https://github.com/ex-cal1bur)
- LinkedIn: [https://linkedin.com/in/daniel-miranda-barcelona](https://linkedin.com/in/daniel-miranda-barcelona)
- Blog: [https://thedumpster.es](https://thedumpster.es)