Description
An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header.
Published: 2026-06-15
Score: 7.5 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An input handling flaw exists in the HTTP refresh token process of LLDAP version 0.6.2; the flaw allows an attacker to send a specially crafted refresh-token header that can exhaust server resources or cause a crash, resulting in a denial of availability for legitimate users. Because the vulnerability does not corrupt data or grant additional privileges, the primary effect is loss of service rather than breach of confidentiality or integrity.

Affected Systems

The only product explicitly listed as affected is LLDAP version 0.6.2, a lightweight LDAP server written in Rust. No other vendors or product lines were referenced in the CNA data, so the scope of the vulnerability is limited to this single release.

Risk and Exploitability

The CVSS score of 7.5 places the vulnerability in the high‑severity range, but the EPSS score of less than 1 % indicates that exploitation in the wild is unlikely. The vulnerability is not included in CISA’s KEV catalog. Attackers would only need the ability to send HTTP requests to the refresh‑token endpoint; no privileged access or credentials are required. Once the crafted header is processed, the server may become unresponsive or crash, which would deny service to all users.

Generated by OpenCVE AI on June 17, 2026 at 21:55 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade LLDAP to a version that addresses the refresh‑token handling flaw when a vendor‑released patch becomes available.
  • If upgrading is not immediately possible, restrict access to the refresh‑token endpoint with firewall or ACL rules to limit the request sources and enforce authentication for token refreshes.
  • As a temporary mitigation, validate the refresh‑token header for expected length and format before processing it, rejecting malformed headers early to prevent resource exhaustion.

Generated by OpenCVE AI on June 17, 2026 at 21:55 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Fri, 26 Jun 2026 10:45:00 +0000

Type Values Removed Values Added
First Time appeared Lldap
Lldap lldap
Vendors & Products Lldap
Lldap lldap

Thu, 18 Jun 2026 04:45:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted Refresh-Token Header in LLDAP 0.6.2

Wed, 17 Jun 2026 05:15:00 +0000

Type Values Removed Values Added
Title Denial of Service via Crafted Refresh-Token Header in LLDAP 0.6.2

Tue, 16 Jun 2026 17:30:00 +0000

Type Values Removed Values Added
Weaknesses CWE-400
Metrics cvssV3_1

{'score': 7.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'poc', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Mon, 15 Jun 2026 19:30:00 +0000

Type Values Removed Values Added
Description An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header.
References

cve-icon MITRE

Status: PUBLISHED

Assigner: mitre

Published:

Updated: 2026-06-16T15:07:09.538Z

Reserved: 2026-06-07T00:00:00.000Z

Link: CVE-2026-50889

cve-icon Vulnrichment

Updated: 2026-06-16T15:07:00.916Z

cve-icon NVD

Status : Awaiting Analysis

Published: 2026-06-15T20:16:31.897

Modified: 2026-06-16T17:16:42.140

Link: CVE-2026-50889

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-26T09:46:07Z

Weaknesses
  • CWE-400

    Uncontrolled Resource Consumption