Advisories for Maven/Org.yamcs/Yamcs-Core package

2026

Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints

The IAM API endpoints (listUsers, getUser, listGroups, and getGroup) in yamcs-core do not enforce the required SystemPrivilege.ControlAccess check. As a result, any authenticated user (even those with low or no privileges) can enumerate all user accounts in the system, including their usernames, superuser status, and group memberships. This constitutes a broken access control vulnerability (CWE-862) that leaks sensitive user information.

Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`

A Server-Side Code Injection vulnerability exists in the Yamcs algorithm evaluation engine (org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory). The application dynamically compiles and evaluates user-controlled algorithm text without enforcing a secure sandbox. An authenticated user with the ChangeMissionDatabase privilege can exploit this to achieve Remote Code Execution (RCE) on the underlying host operating system via the Janino compiler.

Yamcs has No Rate Limiting on Authentication Endpoint

The authentication endpoint POST /auth/token in yamcs-core lacks any form of rate limiting, account lockout, or failed attempt throttling. As a result, an unauthenticated remote attacker can perform unlimited password guessing attempts against any user account. This missing rate limiting vulnerability (CWE-307) significantly increases the risk of successful brute-force attacks.

Yamcs Vulnerable to LDAP Injection in LdapAuthModule

An LDAP injection vulnerability exists in org.yamcs.security.LdapAuthModule when constructing search filters. The username parameter is inserted directly into the LDAP filter without proper RFC 4515 escaping.