Description
Yamcs is a mission control framework. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core, handled by yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java, lacked any rate limiting, account lockout, or failed-attempt throttling, so an unauthenticated remote attacker could perform unlimited password-guessing attempts against any user account, significantly increasing the risk of successful brute-force attacks. This issue is fixed in versions 5.12.7 and 5.13.0.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-w5r6-mcgq-7pq4 | Yamcs has No Rate Limiting on Authentication Endpoint |
References
History
Thu, 16 Jul 2026 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Yamcs
Yamcs yamcs |
|
| Vendors & Products |
Yamcs
Yamcs yamcs |
Thu, 16 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Yamcs is a mission control framework. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core, handled by yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java, lacked any rate limiting, account lockout, or failed-attempt throttling, so an unauthenticated remote attacker could perform unlimited password-guessing attempts against any user account, significantly increasing the risk of successful brute-force attacks. This issue is fixed in versions 5.12.7 and 5.13.0. | |
| Title | Yamcs: No Rate Limiting on Authentication Endpoint | |
| Weaknesses | CWE-307 | |
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T16:04:11.794Z
Reserved: 2026-05-06T21:49:12.426Z
Link: CVE-2026-44596
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T17:30:03Z
Weaknesses
-
CWE-307
Improper Restriction of Excessive Authentication Attempts
Github GHSA