VYPR
← All advisories
Unrated severityNVD Advisory· Published Jun 15, 2026

CVE-2026-50889

CVE-2026-50889

Description

An input handling flaw in LLDAP v0.6.2 allows unauthenticated remote DoS via crafted refresh-token header.

AI Insight

LLM-synthesized narrative grounded in this CVE's description and references.

An input handling flaw in LLDAP v0.6.2 allows unauthenticated remote DoS via crafted refresh-token header.

Vulnerability

LLDAP v0.6.2 contains an input handling flaw in the HTTP refresh token process. The get_refresh_token() function in server/src/auth_service.rs, used by /auth/refresh and /auth/logout handlers, calls HeaderValue::to_str().unwrap() on the refresh-token header. When the header contains non-ASCII bytes, to_str() fails and the unwrap() causes a panic, crashing the HTTP worker [1].

Exploitation

An attacker can trigger this vulnerability by sending an unauthenticated GET request to either /auth/refresh or /auth/logout with a refresh-token header containing a non-ASCII byte (e.g., 0xff). The malformed header value causes to_str().unwrap() to panic, leading to a worker restart or connection drop. Repeated requests can sustain denial of service, especially in the default single-worker configuration [1].

Impact

Successful exploitation results in a denial of service (DoS) against the LLDAP HTTP interface. The remote attacker causes a panic in the HTTP worker, making the service unavailable or unstable. No authentication or prior access is required [1].

Mitigation

As of the available reference [1], no fixed version is disclosed. The vulnerability affects LLDAP v0.6.2; users should monitor for a patched release (e.g., v0.6.3) or apply any workarounds provided by the vendor. If no update is available, restricting network access to the HTTP interface may reduce exposure.

References
  1. Reference for CVE-2026-50889

AI Insight generated on Jun 15, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.

Patches

0

No patches discovered yet.

Vulnerability mechanics

Root cause

"Unsafe unwrap() on HeaderValue::to_str() in get_refresh_token() causes a panic when the refresh-token header contains non-ASCII bytes."

Attack vector

An unauthenticated remote attacker sends a GET request to `/auth/refresh` or `/auth/logout` with a `refresh-token` header containing a non-ASCII byte such as `0xff`. The `get_refresh_token()` helper calls `HeaderValue::to_str().unwrap()`, which panics on opaque bytes instead of returning an authentication error. Under the default single-worker configuration, repeated requests can sustain a denial of service against the LLDAP HTTP interface [ref_id=1].

Affected code

The flaw resides in `get_refresh_token()` within `server/src/auth_service.rs`. The `/auth/refresh` and `/auth/logout` handlers call this helper, which invokes `HeaderValue::to_str().unwrap()` on the attacker-supplied `refresh-token` header. Because `to_str()` rejects non-ASCII bytes, a crafted header triggers an unwrap panic that crashes the HTTP worker [ref_id=1].

What the fix does

The advisory does not include a published patch. The recommended fix is to replace the `unwrap()` call on `HeaderValue::to_str()` with proper error handling that returns an authentication error for malformed header bytes, preventing the panic from reaching the HTTP worker [ref_id=1].

Preconditions

  • configLLDAP v0.6.2 running with the default single HTTP worker configuration
  • authNo authentication required; the request is unauthenticated
  • networkAttacker must be able to send HTTP requests to the LLDAP server
  • inputThe refresh-token header must contain a non-ASCII byte (e.g., 0xff)

Generated on Jun 15, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.

References

1

News mentions

0

No linked articles in our index yet.