PatchSiren cyber security CVE debrief
CVE-2026-55548 yamcs CVE debrief
CVE-2026-55548 debrief: The PacketsApi.exportPackets endpoint in Yamcs, prior to versions 5.12.8 and 5.13.2, failed to enforce object-level ReadPacket privileges when a request omitted specific packet names. This oversight allowed a low-privileged or zero-privilege authenticated user to dump the entire raw telemetry packet archive and bypass the role-based access control model. The issue is fixed in versions 5.12.8 and 5.13.2, which enforce per-packet ReadPacket checks in exportPackets. Users of affected versions should review and apply patches to prevent unauthorized data access.
- Vendor
- yamcs
- Product
- Unknown
- CVSS
- MEDIUM 4.3
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Yamcs versions before 5.12.8 and 5.13.2 who have low-privileged or zero-privilege authenticated users should review and apply the patches. Additionally, operators, platform administrators, vulnerability management teams, and security teams who manage or interact with Yamcs systems should be aware of the potential for unauthorized data access and take steps to mitigate the risk.
Technical summary
The PacketsApi.exportPackets endpoint in yamcs-core/src/main/java/org/yamcs/http/api/PacketsApi.java failed to enforce object-level ReadPacket privileges when a request omitted specific packet names. With an empty name list, the ctx.checkObjectPrivileges(ObjectPrivilegeType.ReadPacket, nameSet) call passed over an empty set, no WHERE pname IN filter was applied to the resulting SELECT * FROM tm query, and the onTuple handler streamed every retrieved packet without any per-row authorization check. This allowed a low-privileged or zero-privilege authenticated user to dump the entire raw telemetry packet archive and bypass the role-based access control model. The issue is fixed in versions 5.12.8 and 5.13.2, which enforce per-packet ReadPacket checks in exportPackets.
Defensive priority
Medium priority for users of affected Yamcs versions due to the potential for unauthorized data access.
Recommended defensive actions
- Review and apply patches in versions 5.12.8 and 5.13.2
- Restrict access to the PacketsApi.exportPackets endpoint for low-privileged users
- Monitor for suspicious activity related to packet data access
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
Evidence notes
Evidence is based on official CVE and NVD records, as well as source references from GitHub. The CVE record was published on 2026-07-16T17:16:57.987Z and last modified on 2026-07-16T19:16:50.703Z. The NVD entry is currently Undergoing Analysis. Defensive verification tasks include reviewing system logs for unusual packet data access and verifying the patch levels of affected Yamcs systems.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:57.987Z and has not been modified since then. The NVD entry is currently Undergoing Analysis.