CVE-2026-1966

Severity CVSS v4.0:

LOW

Type:

CWE-522 Insufficiently Protected Credentials

Publication date:

05/02/2026

Last modified:

05/02/2026

Description

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

Impact

Vector 4.0

CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H CVSS v4.0 Severity and Metrics:

Base Score: 2.40 LOW
Vector: CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

Attack Vector (AV): Physical
Attack Complexity (AC): High
Attack Requirements (AT): Present
Privileges Required (PR): High
User Interaction (UI): Active
Confidentiality (VC): Low
Integrity (VI): Low
Availability (VA): Low
Confidentiality (SC): High
Integrity (SI): High
Availability (SA): High

Base Score 4.0

2.40

Severity 4.0

LOW

References to Advisories, Solutions, and Tools

https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/