CVE-2026-1966

Summary

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

Affected Software

VendorProductVersion RangeStatus
YugabyteDB IncYugabyteDB Anywhere2025.1.0.0 < 2025.1.1.0affected
YugabyteDB IncYugabyteDB Anywhere2024.2.0.0 < 2024.2.6.0affected
YugabyteDB IncYugabyteDB Anywhere2025.2.0.0unaffected

Weaknesses

  • CWE-522: CWE-522 Insufficiently Protected Credentials

ADP Enrichment

CISA ADP Vulnrichment

  • SSVC:
  • Exploitation: none
    • Automatable: no
    • Technical Impact: partial

References