CVE-2026-1966

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

CVSS

No CVSS.

References

Link	Resource
https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/

Configurations

No configuration.

History

15 Apr 2026, 00:35

Type	Values Removed	Values Added
Summary		(es) YugabyteDB Anywhere muestra las contraseñas de enlace LDAP configuradas a través de gflags en texto claro dentro de la interfaz de usuario web. Un usuario autenticado con acceso a la vista de configuración podría obtener las credenciales LDAP, lo que podría permitir el acceso no autorizado a servicios de directorio externos.

05 Feb 2026, 12:16

Type	Values Removed	Values Added
New CVE

Information

Published : 2026-02-05 12:16

Updated : 2026-04-15 00:35

NVD link : CVE-2026-1966

Mitre link : CVE-2026-1966

CVE.ORG link : CVE-2026-1966

JSON object : View

Products Affected

No product.

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2026-1966", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@yugabyte.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.4, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-05T12:16:01.467", "references": [{"url": "https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/", "source": "security@yugabyte.com"}], "vulnStatus": "Deferred", "weaknesses": [{"type": "Secondary", "source": "security@yugabyte.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services."}, {"lang": "es", "value": "YugabyteDB Anywhere muestra las contrase\u00f1as de enlace LDAP configuradas a trav\u00e9s de gflags en texto claro dentro de la interfaz de usuario web. Un usuario autenticado con acceso a la vista de configuraci\u00f3n podr\u00eda obtener las credenciales LDAP, lo que podr\u00eda permitir el acceso no autorizado a servicios de directorio externos."}], "lastModified": "2026-04-15T00:35:42.020", "sourceIdentifier": "security@yugabyte.com"}