## https://sploitus.com/exploit?id=D20141F3-CD91-5E16-9C83-889D014E780F
# CVE-2026-42568 โ YAMCS LDAP Injection in LdapAuthModule
## Summary
An LDAP injection vulnerability exists in `org.yamcs.security.LdapAuthModule`. The username parameter is inserted directly into LDAP search filters without RFC 4515 escaping, allowing authentication bypass.
| Field | Value |
|-------|-------|
| **CVE** | CVE-2026-42568 |
| **Severity** | MEDIUM |
| **CWE** | CWE-90: Improper Neutralization of Special Elements in LDAP Query |
| **Affected** | yamcs-core **Note:** This vulnerability only affects YAMCS instances with `LdapAuthModule` configured. Default installations using built-in auth are not affected.
## Impact
An unauthenticated attacker who can reach the YAMCS server can bypass authentication entirely when LDAP auth is configured, gaining access as an arbitrary user including administrators.
## Fix
Upgrade to `yamcs-core >= 5.12.7`.
The fix applies RFC 4515 escaping to the username before constructing the LDAP filter.
## Timeline
| Date | Event |
|------|-------|
| 2026-05 | Vulnerability reported |
| 2026-05-26 | Fix released in yamcs-core 5.12.7 |
| 2026-05-26 | Public advisory published |
## Researcher
**Daniel Miranda Barcelona (Excal1bur)**
- GitHub: [https://github.com/ex-cal1bur](https://github.com/ex-cal1bur)
- LinkedIn: [https://linkedin.com/in/daniel-miranda-barcelona](https://linkedin.com/in/daniel-miranda-barcelona)
- Blog: [https://thedumpster.es](https://thedumpster.es)