YAMCS no rate
YAMCS contains an exploitable security vulnerability that allows endless brute-force attempts to log into the user accounts, meaning there is no limit on the number of times a user’s password can be guessed by an attacker or on how often they would be able to make those attempts.
The issue affects all releases of YAMCS through release 5.12.6 and is listed as CVE-2026-44596. The vulnerability was identified by a security researcher, Daniel Miranda Barcelona who goes by the handle Excal1bur, and is based on an exploit found on the /auth/token endpoint.
The token endpoint allows making unlimited consecutive attempts to log into a user’s account with neither limits nor automatic account lockout functionality.
Thus, an attacker could make thousands of consecutive login attempts without being blocked from logging in to the account.
What Is YAMCS
YAMCS (Yet Another Mission Control System) is an open-source system used for spacecraft mission control, telemetry processing, and command sequencing.
The YAMCS no rate limiting brute force vulnerability affects the authentication system, and a successful attack could give an attacker control over mission-critical systems.
YAMCS is important to many organizations associated with spacecraft operation or development, as well as scientific studies in wide-ranging fields, and any potential disruption would be very serious.
The Vulnerable Endpoint
The vulnerability is found within the YAMCS authentication system. The root cause of the vulnerability lies in the design of one particular API endpoint used by YAMCS as part of its authentication scheme, the /auth/token API endpoint.
If you want to authenticate with YAMCS you first login by submitting a POST request to the /auth/token API with your username and password credentials; once authenticated, an authentication token will be returned and should subsequently be used to authenticate all subsequent API requests you make inside of YAMCS as long as you remain logged-in.
In vulnerable versions of YAMCS, the YAMCS application server does not track unsuccessful login attempts, and there are no limits on how many times a user can attempt to log into YAMCS. An attacker is thus able to send hundreds or thousands of login requests/attempts against the YAMCS application server with no limit on how many requests/attempts can be sent in one second.
The Proof of Concept
The proof-of-concept exploit demonstrates how an attacker could utilize the no rate limit brute force vulnerability in the YAMCS authentication API endpoint to gain access to a YAMCS account. The exploit is represented as a simple bash script.
The script sends a configurable number of login attempts to the target server with wrong passwords, and it checks the HTTP response code each time.
If the server returns HTTP 429 (Too Many Requests), rate limiting is active and the system is patched, if the server returns HTTP 401 (Unauthorized) for every attempt, the system is vulnerable.
The YAMCS no rate limiting brute force PoC demonstrates that an attacker can try 20, 200, or 2000 passwords without ever receiving a rate limiting response.
The Impact
The YAMCS no rate limiting brute force vulnerability allows attackers to perform brute force attacks against any user account.
An attacker can use a brute force attack to attempt to guess passwords by trying many password combinations rapidly. If an attacker has access to a common password like "password123" or "admin," they will quickly be able to determine the user's password and will be able to log into YAMCS with that user's privileges.
An unauthorized person using YAMCS can perform potentially destructive actions such as executing commands or stealing data from mission control systems.
This vulnerability has a CVSS score of 5.3 which indicates that it can have a medium-level impact on an organization, but the actual impact may vary depending on the context that the vulnerability was found in.
Affected Versions
YAMCS versions affected by this vulnerability include yamcs-core prior to version 5.12.7.
Version 5.12.7 and later have introduced rate limiting and a lockout feature for users attempting to repeatedly guess passwords, and all users should upgrade to this version of YAMCS as soon as possible.
The vulnerability was first introduced when the /auth/token endpoint was created, and for an extended time, the vulnerability existed undetected and uncorrected.
The Fix
Yamcs-core version 5.12.7 introduced a fix for the YAMCS "No Rate Limiting" vulnerability through a change in the rate limiting for the /auth/token endpoint that limits the number of login attempts (based on the number of failed attempts) by user and time.
A large number of failed attempts results in an HTTP 429 response being sent to the user and temporarily blocking them from continued use of the endpoint.
Why Rate Limiting Matters
Rate limiting is a critical security measure for any Authentication Endpoint, and the YAMCS "No Rate Limiting" vulnerability is an example of why. If an authentication endpoint does not use rate limiting, it allows an attacker to rapidly guess passwords and use common password dictionaries or to use machine learning (ML) to guess a user's password.
With rate limiting in place, each username has a small number of password attempts per minute making brute-force password guessing very impractical.
The YAMCS no rate limiting brute force vulnerability should never have existed in a mission control system, and its presence raises questions about other security controls.
How to Test Your YAMCS Instance
You can test your YAMCS instance for the YAMCS no rate limiting brute force vulnerability using the proof-of-concept script.
Run ./poc.sh http://your-yamcs-server:8090 username 20 and observe the responses.
If all responses are HTTP 401, your instance is vulnerable, if any response is HTTP 429, rate limiting is active.
The YAMCS no rate limiting brute force test is safe and does not change any data, it only attempts failed logins.
Protecting Your YAMCS Instance Points
1. Upgrade to yamcs-core (version 5.12.7 and newer) to fix the YAMCS vulnerability of "Brute Force Attacks Without Rate Limiting."
2. If you cannot upgrade, you can set up a network control around your YAMCS instance by placing it behind an nginx reverse proxy – this way you can limit the number of attempts and limit and logins.
3. Use strong passwords for all of your YAMCS accounts as these make it harder for an attacker to guess your password even when there is no rate limit in YAMCS. Passwords should also be long, random, & complex.
4. By checking your YAMCS logs for repeated failed attempts at the /auth/token endpoint you will gain insights into how YAMCS has been under brute force attack and the brute force attack is because of the vulnerability that does not have a rate limit applied.
5. If you're not currently using multi-factor authentication (MFA) with your users, consider implementing it. MFA can help guard against the risk of a password-based attack, even without rate-limiting in YAMCS and YAMCS can possibly be integrated with external MFA authentication service providers.
The Researcher
The researcher responsible for discovering the no-rate-limiting brute-force vulnerability in YAMCS is Daniel Miranda Barcelona (Excal1bur). He has also published a proof-of-concept.
The researcher disclosed the issue to YAMCS maintainers in a responsible manner, which resulted in a fix being released in YAMCS version 5.12.7.
The YAMCS no rate limiting brute force vulnerability is now public, and attackers may be scanning for vulnerable instances.
The Space Mission Context
The vulnerability of YAMCS in not having a rate limiting brute force mechanism could adversely affect a real world spacecraft mission because an attacker obtaining access to YAMCS could send commands to the spacecraft thus affecting mission operations.
While the YAMCS no rate limiting brute force vulnerability only affects authentication, a successful brute force attack is the first step toward deeper compromise.
Organizations using YAMCS for critical missions should prioritize this patch.
Final Thoughts
The YAMCS no rate limiting brute force vulnerability is a basic security oversight, authentication endpoints should always have rate limiting, and every developer should know this.
The YAMCS no rate limiting brute force vulnerability existed for years before being discovered, and this suggests that YAMCS deployments may have been exposed to brute force attacks for a long time.
If you run YAMCS, check your version today, upgrade to 5.12.7 or later, and review your logs for signs of brute force attempts.
The YAMCS no rate limiting brute force vulnerability is fixed, but only if you apply the update, do not leave your mission control system exposed.
FAQ Section
What is CVE-2026-44596?
CVE-2026-44596 is an unlimited brute force attack vulnerability that allows an attacker to continue attempting logins to the /auth/token endpoint on all yamcs-core versions prior to version 5.12.7 endlessly since there are no lockouts or rate limiting for those attempts.
How would an attacker exploit this vulnerability?
An attacker can send an unlimited number of password guesses against /auth/token and once they find a valid username/password combination, they will have access to YAMCS as that user.
What is the CVSS score of CVE-2026-44596?
The YAMCS no limiting brute force vulnerability has a CVSS score of 5.3 (Medium), however the actual impact is dependent on the affected environment and could be catastrophic to mission-critical environments.
Are patches available to fix this vulnerability?
Unfortunately, the YAMCS no limiting brute force vulnerability is exacerbated by the fact the issue is not patched in yamcs-core version 5.12.7 or later. All users are urged to upgrade their YAMCS implementation to at least yamcs-core version 5.12.7.
How can I determine if my YAMCS instance is vulnerable?
To verify whether or not the YAMCS instance is vulnerable, use the provided proof-of-concept script (./poc.sh http://Your-Server:8090 USERNAME 20). If all responses return HTTP 401, then you have a vulnerable YAMCS instance. If at least one response returns HTTP 429, your YAMCS instance has disabled rate limiting.
