CVE-2026-44595: Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints

May 27, 2026

The IAM API endpoints (listUsers, getUser, listGroups, and getGroup) in yamcs-core do not enforce the required SystemPrivilege.ControlAccess check. As a result, any authenticated user (even those with low or no privileges) can enumerate all user accounts in the system, including their usernames, superuser status, and group memberships.

This constitutes a broken access control vulnerability (CWE-862) that leaks sensitive user information.

References

github.com/advisories/GHSA-p2rj-mrmc-9w29
github.com/yamcs/yamcs/security/advisories/GHSA-p2rj-mrmc-9w29
nvd.nist.gov/vuln/detail/CVE-2026-44595

Code Behaviors & Features

Detect and mitigate CVE-2026-44595 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →