CVE-2026-44596: Yamcs has No Rate Limiting on Authentication Endpoint

May 27, 2026

The authentication endpoint POST /auth/token in yamcs-core lacks any form of rate limiting, account lockout, or failed attempt throttling. As a result, an unauthenticated remote attacker can perform unlimited password guessing attempts against any user account.

This missing rate limiting vulnerability (CWE-307) significantly increases the risk of successful brute-force attacks.

References

github.com/advisories/GHSA-w5r6-mcgq-7pq4
github.com/yamcs/yamcs/security/advisories/GHSA-w5r6-mcgq-7pq4
nvd.nist.gov/vuln/detail/CVE-2026-44596

Code Behaviors & Features

Detect and mitigate CVE-2026-44596 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →