GHSA-w5r6-mcgq-7pq4
Suggest an improvement- Source
- https://github.com/advisories/GHSA-w5r6-mcgq-7pq4
- Import Source
- https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-w5r6-mcgq-7pq4/GHSA-w5r6-mcgq-7pq4.json
- JSON Data
- https://api.test.osv.dev/v1/vulns/GHSA-w5r6-mcgq-7pq4
- Aliases
-
- CVE-2026-44596
- Published
- 2026-05-27T00:04:28Z
- Modified
- 2026-05-27T00:15:08.218627173Z
- Severity
-
- 6.5 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N CVSS Calculator
- Summary
- Yamcs has No Rate Limiting on Authentication Endpoint
- Details
-
Summary
The authentication endpoint
POST /auth/tokeninyamcs-corelacks any form of rate limiting, account lockout, or failed attempt throttling. As a result, an unauthenticated remote attacker can perform unlimited password guessing attempts against any user account.This missing rate limiting vulnerability (CWE-307) significantly increases the risk of successful brute-force attacks.
Root Cause
File:
yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.javaPOST /auth/tokenhas no rate limiting, no lockout after failed attempts, and no CAPTCHA. The handler processes unlimited authentication requests without any throttling mechanism:// AuthHandler.java — handleToken() // No throttle, no failed attempt counter, no lockout private void handleToken(HandlerContext ctx) { ... getSecurityStore().login(token).whenComplete((info, err) -> { // Directly attempts authentication with no rate check }); }This is absent by default — the official quickstart and documentation contain no guidance on configuring rate limiting.
Impact
An attacker can make unlimited authentication attempts against any account. This enables efficient brute-force attacks against any account.
Proof of Concept
# 20 attempts — zero rate limiting for i in $(seq 1 20); do curl -s -o /dev/null -w "Attempt $i: HTTP %{http_code}\n" \ -X POST "http://TARGET:8090/auth/token" \ -d "grant_type=password&username=operator&password=operator12$i" done # All return HTTP 401 — no HTTP 429 everConfirmed: 20 attempts in 0.07 seconds, no rate limiting enforced.
Fix
Implement DRF-style throttling on
/auth/token:// Track failed attempts per IP private static final Cache<String, Integer> FAILED_ATTEMPTS = CacheBuilder.newBuilder().expireAfterWrite(15, TimeUnit.MINUTES).build(); private static final int MAX_ATTEMPTS = 10; private void handleToken(HandlerContext ctx) { String ip = ctx.getRemoteAddress(); int attempts = Optional.ofNullable(FAILED_ATTEMPTS.getIfPresent(ip)).orElse(0); if (attempts >= MAX_ATTEMPTS) { throw new TooManyRequestsException("Rate limit exceeded"); } // ... existing auth logic // On failure: FAILED_ATTEMPTS.put(ip, attempts + 1) } - Database specific
{ "github_reviewed_at": "2026-05-27T00:04:28Z", "nvd_published_at": null, "severity": "MODERATE", "github_reviewed": true, "cwe_ids": [ "CWE-307" ] }- References
Affected packages
Maven / org.yamcs:yamcs-core
Package
- Name
- org.yamcs:yamcs-core
- View open source insights on deps.dev
- Purl
- pkg:maven/org.yamcs/yamcs-core
Affected ranges
- Type
- ECOSYSTEM
- Events
-
Introduced0Unknown introduced version / All previous versions are affectedFixed5.12.7