PT-2026-43456 · Maven · Org.Yamcs:Yamcs-Core

Published

2026-05-27

·

Updated

2026-05-27

·

CVE-2026-44596

CVSS v3.1

6.5

Medium

VectorAV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:N

Summary

The authentication endpoint POST /auth/token in yamcs-core lacks any form of rate limiting, account lockout, or failed attempt throttling. As a result, an unauthenticated remote attacker can perform unlimited password guessing attempts against any user account.
This missing rate limiting vulnerability (CWE-307) significantly increases the risk of successful brute-force attacks.

Root Cause

File: yamcs-core/src/main/java/org/yamcs/http/auth/AuthHandler.java
POST /auth/token has no rate limiting, no lockout after failed attempts, and no CAPTCHA. The handler processes unlimited authentication requests without any throttling mechanism:
// AuthHandler.java — handleToken()
// No throttle, no failed attempt counter, no lockout
private void handleToken(HandlerContext ctx) {
  ...
  getSecurityStore().login(token).whenComplete((info, err) -> {
    // Directly attempts authentication with no rate check
  });
}
This is absent by default — the official quickstart and documentation contain no guidance on configuring rate limiting.

Impact

An attacker can make unlimited authentication attempts against any account. This enables efficient brute-force attacks against any account.

Proof of Concept

# 20 attempts — zero rate limiting
for i in $(seq 1 20); do
 curl -s -o /dev/null -w "Attempt $i: HTTP %{http code}
" 
  -X POST "http://TARGET:8090/auth/token" 
  -d "grant type=password&username=operator&password=operator12$i"
done
# All return HTTP 401 — no HTTP 429 ever
Confirmed: 20 attempts in 0.07 seconds, no rate limiting enforced.

Fix

Implement DRF-style throttling on /auth/token:
// Track failed attempts per IP
private static final Cache<String, Integer> FAILED ATTEMPTS =
  CacheBuilder.newBuilder().expireAfterWrite(15, TimeUnit.MINUTES).build();

private static final int MAX ATTEMPTS = 10;

private void handleToken(HandlerContext ctx) {
  String ip = ctx.getRemoteAddress();
  int attempts = Optional.ofNullable(FAILED ATTEMPTS.getIfPresent(ip)).orElse(0);
  if (attempts >= MAX ATTEMPTS) {
    throw new TooManyRequestsException("Rate limit exceeded");
  }
  // ... existing auth logic
  // On failure: FAILED ATTEMPTS.put(ip, attempts + 1)
}

Fix

Improper Restriction of Excessive Authentication Attempts

Weakness Enumeration

CWE-307

Related Identifiers

CVE-2026-44596
GHSA-W5R6-MCGQ-7PQ4

Affected Products

Org.Yamcs:Yamcs-Core