CVE-2026-44596

YAMCS yamcs-core 5.12.7 - No Rate Limiting

Exploitation Summary

EIP tracks 1 public exploit for CVE-2026-44596. PoCs published by Daniel Miranda.

AI-analyzed exploit summary This script demonstrates CVE-2026-44596, a lack of rate limiting in YAMCS yamcs-core < 5.12.7, allowing unauthenticated brute-force attacks on the /auth/token endpoint. It sends multiple login attempts and checks for HTTP 429 (rate-limited) or 200 (successful login) responses.

Description

YAMCS yamcs-core 5.12.7 - No Rate Limiting

Exploits (1)

exploitdb WORKING POC

by Daniel Miranda · bashwebappsmultiple

https://www.exploit-db.com/exploits/52605

View Code ZIP pw:eip

This script demonstrates CVE-2026-44596, a lack of rate limiting in YAMCS yamcs-core < 5.12.7, allowing unauthenticated brute-force attacks on the /auth/token endpoint. It sends multiple login attempts and checks for HTTP 429 (rate-limited) or 200 (successful login) responses.

Classification

Working Poc 100%

Attack Type

Auth Bypass

Complexity

Trivial

Reliability

Reliable

Target: YAMCS yamcs-core < 5.12.7

No auth needed

Prerequisites: network access to the target YAMCS instance · valid username to brute-force

MITRE ATT&CK

T1190 - Exploit Public-Facing Application T1078 - Valid Accounts

devstral-2 · analyzed May 31, 2026 Full analysis →

Scores

EPSS 0.0005

EPSS Percentile 16.9%

Details

Status draft

Tracked Since May 31, 2026