CVE-2026-1966

LOW

YugabyteDB Anywhere - Info Disclosure

Title source: llm

Description

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

References (1)

[Various Sources] https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/

Scores

CVSS v4 2.4

EPSS 0.0001

EPSS Percentile 0.8%

CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-522

Status published

Products (3)

YugabyteDB Inc/YugabyteDB Anywhere 2024.2.0.0 - 2024.2.6.0

YugabyteDB Inc/YugabyteDB Anywhere 2025.1.0.0 - 2025.1.1.0

YugabyteDB Inc/YugabyteDB Anywhere 2025.2.0.0

Published Feb 05, 2026

Tracked Since Feb 18, 2026