PatchSiren cyber security CVE debrief
CVE-2026-44596 yamcs CVE debrief
CVE-2026-44596: Yamcs Authentication Endpoint Lacks Rate Limiting. Prior to 5.12.7, the authentication endpoint POST /auth/token in yamcs-core lacked rate limiting, account lockout, or failed-attempt throttling. This allowed unauthenticated remote attackers to perform unlimited password-guessing attempts against any user account, significantly increasing the risk of successful brute-force attacks. The issue is fixed in versions 5.12.7 and 5.13.0. Affected product deployments should be reviewed for potential exposure, and compensating controls may be necessary while remediation is scheduled and verified.
- Vendor
- yamcs
- Product
- Unknown
- CVSS
- MEDIUM 6.5
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Yamcs versions prior to 5.12.7 or 5.13.0 should apply the patches to prevent brute-force attacks against user accounts. This includes operators, platform administrators, vulnerability management teams, and security teams who need to review the affected scope, severity, and vendor guidance. Additional security measures such as IP blocking for excessive login attempts and monitoring authentication logs for suspicious activity are also recommended.
Technical summary
The authentication endpoint POST /auth/token in yamcs-core, handled by AuthHandler.java, did not implement rate limiting, account lockout, or throttling for failed login attempts. This vulnerability allowed unauthenticated attackers to perform unlimited password-guessing attempts against any user account. The issue was addressed with the release of Yamcs versions 5.12.7 and 5.13.0. Affected product deployments should be reviewed for potential exposure, and compensating controls may be necessary while remediation is scheduled and verified. The vulnerability has a CVSS score of 6.5 and a severity of MEDIUM.
Defensive priority
High
Recommended defensive actions
- Apply patches to upgrade Yamcs to version 5.12.7 or 5.13.0
- Implement additional security measures such as IP blocking for excessive login attempts
- Monitor authentication logs for suspicious activity
- Consider implementing a Web Application Firewall (WAF) to detect and prevent brute-force attacks
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
The CVE record and NVD entry provide details on the vulnerability and its fixes. GitHub commits and release notes confirm the patches in versions 5.12.7 and 5.13.0. Evidence limits suggest that the affected scope and impact are still being verified. Defenders should review the official advisory and CVE record to validate affected scope, severity, and vendor guidance. The issue is related to the authentication endpoint POST /auth/token in yamcs-core, handled by AuthHandler.java. The vulnerability allows unauthenticated remote attackers to perform unlimited password-guessing attempts against any user account. The issue was addressed with the release of Yamcs versions 5.12.7 and 5.13.0. However, the full scope of affected systems and potential impact on operational security is still under review.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:55.880Z and has not been modified since then.