CVE-2026-1966 PUBLISHED

YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI

Assigner: Yugabyte
Reserved: 05.02.2026 Published: 05.02.2026 Updated: 05.02.2026

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

Metrics

CVSS 4.0

CVSS Vector: CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H
CVSS Score: 2.4

Exploitability Metrics		Vulnerable System Impact Metrics		Subsequent System Impact Metrics
Attack Vector	Physical	Confidentiality	Low	Confidentiality	High
Attack Complexity	High	Integrity	Low	Integrity	High
Attack Requirements	Present	Availability	Low	Availability	High
Privileges Required	High
User Interaction	Active

CVSS 4.0

Product Status

Vendor	YugabyteDB Inc
Product	YugabyteDB Anywhere
Versions	Default: unaffected affected from 2025.1.0.0 to 2025.1.1.0 (excl.) affected from 2024.2.0.0 to 2024.2.6.0 (excl.) Version 2025.2.0.0 is unaffected

References

https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/

Problem Types

CWE-522 Insufficiently Protected Credentials CWE

Impacts

CAPEC-118 Data Leakage Attacks