CVE-2026-44595

Source
https://cve.org/CVERecord?id=CVE-2026-44595
Import Source
https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44595.json
JSON Data
https://api.osv.dev/v1/vulns/CVE-2026-44595
Aliases
Published
2026-07-16T16:02:46.293Z
Modified
2026-07-19T03:46:54.186821384Z
Severity
  • 4.3 (Medium) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N CVSS Calculator
Summary
Yamcs: Unauthorized user enumeration via IAM API endpoints
Details

Yamcs is a mission control framework. Prior to 5.12.7, the IAM API endpoints listUsers, getUser, listGroups, and getGroup in yamcs-core did not enforce the required SystemPrivilege.ControlAccess check in yamcs-core/src/main/java/org/yamcs/http/api/IamApi.java, so any authenticated user, even one with low or no privileges, could enumerate all user accounts in the system including their usernames, superuser status, and group memberships. This issue is fixed in versions 5.12.7 and 5.13.0.

Database specific
{
    "cwe_ids": [
        "CWE-862"
    ],
    "osv_generated_from": "https://github.com/CVEProject/cvelistV5/tree/main/cves/2026/44xxx/CVE-2026-44595.json",
    "cna_assigner": "GitHub_M"
}
References

Affected packages

Git / github.com/yamcs/yamcs

Affected ranges

Type
GIT
Repo
https://github.com/yamcs/yamcs
Events
Database specific
{
    "cpe": "cpe:2.3:a:spaceapplications:yamcs:*:*:*:*:*:*:*:*",
    "extracted_events": [
        {
            "introduced": "0"
        },
        {
            "fixed": "5.12.7"
        }
    ],
    "source": [
        "CPE_RANGE",
        "REFERENCES"
    ]
}

Affected versions

Other
before-removing-cfdp-half-implemented-features
v0.*
v0.26.0
v0.26.1
v0.28.0
v0.28.0-20150811
v0.28.0-20150817
v0.28.0-20150820
v0.28.0-20150824
v0.28.0-20150825
v0.28.0-20150826
v0.28.0-20150827
v0.28.0-20150828
v0.28.0-20150901
v0.28.0-20150902
v0.28.0-20150902-2
v0.28.0-20150903
v0.29.0
v0.29.1
v0.29.1-20151214
v0.29.1-20160119
v0.29.1-20160127
v0.29.3
v0.29.3-20160608
v0.29.4
yamcs-0.*
yamcs-0.30.0
yamcs-3.*
yamcs-3.0.0
yamcs-3.1.0
yamcs-3.1.1
yamcs-3.1.2
yamcs-3.2.0
yamcs-3.2.1
yamcs-3.2.2
yamcs-3.3.0
yamcs-3.4.0
yamcs-4.*
yamcs-4.0.1
yamcs-4.1.1
yamcs-4.1.2
yamcs-4.10.0
yamcs-4.10.1
yamcs-4.10.2
yamcs-4.10.3
yamcs-4.10.4
yamcs-4.10.5
yamcs-4.10.6
yamcs-4.10.7
yamcs-4.10.8
yamcs-4.10.9
yamcs-4.2.0
yamcs-4.2.1
yamcs-4.2.2
yamcs-4.3.0
yamcs-4.3.1
yamcs-4.4.0
yamcs-4.4.1
yamcs-4.4.2
yamcs-4.7
yamcs-4.7.1
yamcs-4.7.2
yamcs-4.7.3
yamcs-4.8.0
yamcs-4.8.1
yamcs-4.9.0
yamcs-4.9.1
yamcs-4.9.2
yamcs-4.9.3
yamcs-4.9.4
yamcs-4.9.5
yamcs-5.*
yamcs-5.0.0
yamcs-5.0.1
yamcs-5.1.0
yamcs-5.1.1
yamcs-5.1.2
yamcs-5.1.3
yamcs-5.10.0
yamcs-5.10.1
yamcs-5.10.2
yamcs-5.10.3
yamcs-5.10.4
yamcs-5.10.5
yamcs-5.10.6
yamcs-5.10.7
yamcs-5.10.8
yamcs-5.10.9
yamcs-5.11.0
yamcs-5.11.1
yamcs-5.11.2
yamcs-5.11.3
yamcs-5.11.4
yamcs-5.11.5
yamcs-5.11.6
yamcs-5.11.7
yamcs-5.12.0
yamcs-5.12.1
yamcs-5.12.2
yamcs-5.12.3
yamcs-5.12.4
yamcs-5.12.5
yamcs-5.12.6
yamcs-5.2.0
yamcs-5.3.0
yamcs-5.3.1
yamcs-5.3.2
yamcs-5.3.3
yamcs-5.3.4
yamcs-5.3.5
yamcs-5.4.0
yamcs-5.4.1
yamcs-5.4.2
yamcs-5.4.3
yamcs-5.5.0
yamcs-5.5.1
yamcs-5.5.2
yamcs-5.5.3
yamcs-5.5.4
yamcs-5.5.5
yamcs-5.5.6
yamcs-5.5.7
yamcs-5.6.0
yamcs-5.6.1
yamcs-5.6.2
yamcs-5.7.0
yamcs-5.7.1
yamcs-5.7.10
yamcs-5.7.2
yamcs-5.7.3
yamcs-5.7.4
yamcs-5.7.5
yamcs-5.7.6
yamcs-5.7.7
yamcs-5.7.8
yamcs-5.7.9
yamcs-5.8.0
yamcs-5.8.1
yamcs-5.8.2
yamcs-5.8.3
yamcs-5.8.4
yamcs-5.8.5
yamcs-5.8.6
yamcs-5.8.7
yamcs-5.8.8
yamcs-5.9.0
yamcs-5.9.1
yamcs-5.9.2
yamcs-5.9.3
yamcs-5.9.4
yamcs-5.9.5
yamcs-5.9.6
yamcs-5.9.7
yamcs-5.9.8

Database specific

source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-44595.json"