Bug 2437046 (CVE-2026-1966)
| Summary: | CVE-2026-1966 YugabyteDB: YugabyteDB Anywhere: Information disclosure of LDAP bind passwords via web UI | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | OSIDB Bzimport <bzimport> |
| Component: | vulnerability | Assignee: | Product Security DevOps Team <prodsec-dev> |
| Status: | NEW --- | QA Contact: | |
| Severity: | low | Docs Contact: | |
| Priority: | low | ||
| Version: | unspecified | CC: | asoldano, bbaranow, bmaxwell, brian.stansberry, darran.lofthouse, dosoudil, istudens, ivassile, iweiss, mosmerov, msvehla, nwallace, pberan, pesilva, pjindal, pmackay, rstancel, smaestri, tom.jenkinson |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | Doc Type: | --- | |
| Doc Text: |
A flaw was found in YugabyteDB Anywhere. This vulnerability allows an authenticated user with access to the configuration view to obtain Lightweight Directory Access Protocol (LDAP) bind passwords. These passwords are displayed in cleartext within the web user interface (UI) when configured via gflags. This information disclosure could potentially enable unauthorized access to external directory services.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | Type: | --- | |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2437678, 2437679, 2437680, 2437681 | ||
| Bug Blocks: | |||
|
Description
OSIDB Bzimport
2026-02-05 12:01:17 UTC
|