CVE-2026-1966 | THREATINT

Description

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

PUBLISHED Reserved 2026-02-05 | Published 2026-02-05 | Updated 2026-02-05 | Assigner Yugabyte

LOW: 2.4CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

Problem types

CWE-522 Insufficiently Protected Credentials

Product status

Default status

unaffected

2025.1.0.0 (custom) before 2025.1.1.0

affected

2024.2.0.0 (custom) before 2024.2.6.0

affected

2025.2.0.0 (custom)

unaffected

References

docs.yugabyte.com/...secure/vulnerability-disclosure-policy/

cve.org (CVE-2026-1966)

nvd.nist.gov (CVE-2026-1966)

Download JSON