Description
YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.
Published: 2026-02-05
Score: 2.4 Low
EPSS: < 1% Very Low
KEV: No
Impact: Credential Exposure (LDAP passwords)
Action: Assess Impact
AI Analysis

Impact

The vulnerability causes LDAP bind passwords configured via gflags to appear in cleartext within the YugabyteDB Anywhere web UI. An authenticated user who has access to the configuration view can read these credentials, potentially enabling unauthorized access to external directory services. The flaw represents a confidentiality breach of sensitive authentication data. The likely attack vector is an authenticated user with configuration privileges, as only users who can view the settings will see the passwords.

Affected Systems

YugabyteDB Inc’s YugabyteDB Anywhere product is affected by this issue. No specific version range is listed, so the problem exists in the current releases where LDAP bind passwords are displayed through the web interface.

Risk and Exploitability

The CVSS base score of 2.4 indicates low severity, and the EPSS probability is under 1 percent, with the vulnerability not listed in the KEV catalog. The risk profile is limited to individuals who possess privileged configuration access, and exploitation requires that the attacker first authenticates to the system. While exposure of LDAP credentials can lead to further compromises of external directory services, the overall likelihood and impact remain low due to the narrow attack surface and the necessity of pre‑existing user credentials.

Generated by OpenCVE AI on April 17, 2026 at 23:02 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Revoke or limit configuration view permissions to users who absolutely need them to prevent credential leakage.
  • Use secure storage or encryption for LDAP bind passwords so they are not shown in cleartext; consider moving configuration to environment variables or protected files instead of gflags.
  • Apply any available YugabyteDB Anywhere patch or upgrade to the latest release that fixes the credential exposure.
  • If a patch is not yet released, rotate LDAP passwords immediately and monitor directory service logs for suspicious activity.

Generated by OpenCVE AI on April 17, 2026 at 23:02 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 10 Feb 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-312
References
Metrics threat_severity

None

 cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N'}

threat_severity

Low

Fri, 06 Feb 2026 12:15:00 +0000

Type Values Removed Values Added
First Time appeared Yugabyte
Yugabyte yugabytedb Anywhere
Vendors & Products Yugabyte
Yugabyte yugabytedb Anywhere

Thu, 05 Feb 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Thu, 05 Feb 2026 12:00:00 +0000

Type Values Removed Values Added
Description YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.
Title YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI
Weaknesses CWE-522
References
Metrics cvssV4_0

{'score': 2.4, 'vector': 'CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H'}

Subscriptions

Yugabyte Yugabytedb Anywhere
cve-icon MITRE

Status: PUBLISHED

Assigner: Yugabyte

Published:

Updated: 2026-02-05T14:18:33.527Z

Reserved: 2026-02-05T11:27:51.783Z

Link: CVE-2026-1966

cve-icon Vulnrichment

Updated: 2026-02-05T14:18:29.868Z

cve-icon NVD

Status : Deferred

Published: 2026-02-05T12:16:01.467

Modified: 2026-04-15T00:35:42.020

Link: CVE-2026-1966

cve-icon Redhat

Severity : Low

Publid Date: 2026-02-05T11:38:28Z

Links: CVE-2026-1966 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-17T23:15:30Z

Weaknesses