CVE-2026-1966

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

CVSS

No CVSS.

References

Link	Resource
https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/

Configurations

No configuration.

History

No history.

Information

Published : 2026-02-05 12:16

Updated : 2026-02-05 14:57

NVD link : CVE-2026-1966

Mitre link : CVE-2026-1966

CVE.ORG link : CVE-2026-1966

JSON object : View

Products Affected

No product.

CWE

CWE-522

Insufficiently Protected Credentials

{"id": "CVE-2026-1966", "cveTags": [], "metrics": {"cvssMetricV40": [{"type": "Secondary", "source": "security@yugabyte.com", "cvssData": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.4, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "integrityRequirement": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "availabilityRequirement": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "confidentialityRequirement": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "vulnerabilityResponseEffort": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED"}}]}, "published": "2026-02-05T12:16:01.467", "references": [{"url": "https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/", "source": "security@yugabyte.com"}], "vulnStatus": "Awaiting Analysis", "weaknesses": [{"type": "Secondary", "source": "security@yugabyte.com", "description": [{"lang": "en", "value": "CWE-522"}]}], "descriptions": [{"lang": "en", "value": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services."}, {"lang": "es", "value": "YugabyteDB Anywhere muestra las contrase\u00f1as de enlace LDAP configuradas a trav\u00e9s de gflags en texto claro dentro de la interfaz de usuario web. Un usuario autenticado con acceso a la vista de configuraci\u00f3n podr\u00eda obtener las credenciales LDAP, lo que podr\u00eda permitir el acceso no autorizado a servicios de directorio externos."}], "lastModified": "2026-02-05T14:57:20.563", "sourceIdentifier": "security@yugabyte.com"}

CVE-2026-1966

JSON object

Attach tags to CVE-2026-1966

Attach tags to `CVE-2026-1966`