CVE-2026-42568: 
Java Analisi e mitigazione delle vulnerabilità

CVE-2026-42568 is an LDAP injection vulnerability in Yamcs (Yet Another Mission Control System), specifically in the org.yamcs.security.LdapAuthModule class used for LDAP-based authentication. The vulnerability arises because the username parameter is inserted directly into LDAP search filters without proper RFC 4515 escaping, allowing manipulation of the filter logic. It affects org.yamcs:yamcs-core versions prior to 5.12.7 and 5.13.0. The vulnerability was published on May 21, 2026, and has a CVSS v3.1 base score of 4.3 (Moderate) (Github Advisory, Yamcs Advisory).

The root cause is classified as CWE-90 (Improper Neutralization of Special Elements used in an LDAP Query). The vulnerable code is located in yamcs-core/src/main/java/org/yamcs/security/LdapAuthModule.java at line 233, where the username is substituted directly into the LDAP filter string: var filter = userFilter.replace("{0}", username);. Because LDAP wildcard characters such as *, (, and ) are not sanitized, an attacker with any valid password can supply username=* to match the first user returned by the LDAP directory, bypassing normal username-to-account binding. Exploitation requires low privileges (a known valid password for any account) and is performed over the network with no user interaction (Github Advisory, Yamcs Advisory).

Successful exploitation enables horizontal privilege escalation: an attacker who knows one valid password can authenticate as a different LDAP user — specifically the first user returned by the manipulated LDAP search — gaining access to that account's permissions and data within Yamcs. The confidentiality impact is limited (low), with no direct integrity or availability impact per the CVSS scoring. This vulnerability only affects deployments that have configured org.yamcs.security.LdapAuthModule in their etc/security.yaml file; installations using other authentication modules are not affected (Github Advisory).

Upgrade org.yamcs:yamcs-core to version 5.12.7 (patch release) or 5.13.0 (latest stable) to resolve the vulnerability. The fix applies RFC 4515 escaping to the username before it is inserted into the LDAP filter, neutralizing wildcard and special characters. As a temporary workaround for deployments that cannot immediately upgrade, restrict network access to the Yamcs HTTP API (port 8090) to trusted hosts only, and consider switching to an alternative authentication module if LDAP is not strictly required (Yamcs 5.12.7 Release, Yamcs 5.13.0 Release).

The vulnerability was reported by security researcher ex-cal1bur and credited in the official GitHub advisory. Threat intelligence platforms including Offseq Radar and Vulners have indexed the vulnerability shortly after disclosure. No significant vendor statements beyond the patch release or notable media coverage have been identified at this time (Yamcs Advisory).