{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-1966", "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "state": "PUBLISHED", "assignerShortName": "Yugabyte", "dateReserved": "2026-02-05T11:27:51.783Z", "datePublished": "2026-02-05T11:38:28.291Z", "dateUpdated": "2026-02-05T14:18:33.527Z"}, "containers": {"cna": {"affected": [{"defaultStatus": "unaffected", "packageName": "yugaware", "platforms": ["Linux"], "product": "YugabyteDB Anywhere", "repo": "https://github.com/yugabyte/yugabyte-db/", "vendor": "YugabyteDB Inc", "versions": [{"lessThan": "2025.1.1.0", "status": "affected", "version": "2025.1.0.0", "versionType": "custom"}, {"lessThan": "2024.2.6.0", "status": "affected", "version": "2024.2.0.0", "versionType": "custom"}, {"status": "unaffected", "version": "2025.2.0.0", "versionType": "custom"}]}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.<br><br><br>"}], "value": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services."}], "impacts": [{"capecId": "CAPEC-118", "descriptions": [{"lang": "en", "value": "CAPEC-118 Data Leakage Attacks"}]}], "metrics": [{"cvssV4_0": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "PHYSICAL", "baseScore": 2.4, "baseSeverity": "LOW", "exploitMaturity": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "format": "CVSS", "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "problemTypes": [{"descriptions": [{"cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "shortName": "Yugabyte", "dateUpdated": "2026-02-05T11:38:28.291Z"}, "references": [{"url": "https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/"}], "source": {"defect": ["PLAT-18069"], "discovery": "INTERNAL"}, "title": "YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI", "x_generator": {"engine": "Vulnogram 0.5.0"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-02-05T14:18:27.232841Z", "id": "CVE-2026-1966", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:18:33.527Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-1966", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-02-05T14:18:27.232841Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-02-05T14:18:29.868Z"}}], "cna": {"title": "YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI", "source": {"defect": ["PLAT-18069"], "discovery": "INTERNAL"}, "impacts": [{"capecId": "CAPEC-118", "descriptions": [{"lang": "en", "value": "CAPEC-118 Data Leakage Attacks"}]}], "metrics": [{"format": "CVSS", "cvssV4_0": {"Safety": "NOT_DEFINED", "version": "4.0", "Recovery": "NOT_DEFINED", "baseScore": 2.4, "Automatable": "NOT_DEFINED", "attackVector": "PHYSICAL", "baseSeverity": "LOW", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H", "exploitMaturity": "NOT_DEFINED", "providerUrgency": "NOT_DEFINED", "userInteraction": "ACTIVE", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "privilegesRequired": "HIGH", "subIntegrityImpact": "HIGH", "vulnIntegrityImpact": "LOW", "subAvailabilityImpact": "HIGH", "vulnAvailabilityImpact": "LOW", "subConfidentialityImpact": "HIGH", "vulnConfidentialityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "scenarios": [{"lang": "en", "value": "GENERAL"}]}], "affected": [{"repo": "https://github.com/yugabyte/yugabyte-db/", "vendor": "YugabyteDB Inc", "product": "YugabyteDB Anywhere", "versions": [{"status": "affected", "version": "2025.1.0.0", "lessThan": "2025.1.1.0", "versionType": "custom"}, {"status": "affected", "version": "2024.2.0.0", "lessThan": "2024.2.6.0", "versionType": "custom"}, {"status": "unaffected", "version": "2025.2.0.0", "versionType": "custom"}], "platforms": ["Linux"], "packageName": "yugaware", "defaultStatus": "unaffected"}], "references": [{"url": "https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/"}], "x_generator": {"engine": "Vulnogram 0.5.0"}, "descriptions": [{"lang": "en", "value": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.", "supportingMedia": [{"type": "text/html", "value": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.<br><br><br>", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-522", "description": "CWE-522 Insufficiently Protected Credentials"}]}], "providerMetadata": {"orgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "shortName": "Yugabyte", "dateUpdated": "2026-02-05T11:38:28.291Z"}}}, "cveMetadata": {"cveId": "CVE-2026-1966", "state": "PUBLISHED", "dateUpdated": "2026-02-05T14:18:33.527Z", "dateReserved": "2026-02-05T11:27:51.783Z", "assignerOrgId": "d4ae51d3-4db5-465e-bc8a-eb6768324078", "datePublished": "2026-02-05T11:38:28.291Z", "assignerShortName": "Yugabyte"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services."}], "id": "CVE-2026-1966", "lastModified": "2026-02-05T14:57:20.563", "metrics": {"cvssMetricV40": [{"cvssData": {"Automatable": "NOT_DEFINED", "Recovery": "NOT_DEFINED", "Safety": "NOT_DEFINED", "attackComplexity": "HIGH", "attackRequirements": "PRESENT", "attackVector": "PHYSICAL", "availabilityRequirement": "NOT_DEFINED", "baseScore": 2.4, "baseSeverity": "LOW", "confidentialityRequirement": "NOT_DEFINED", "exploitMaturity": "NOT_DEFINED", "integrityRequirement": "NOT_DEFINED", "modifiedAttackComplexity": "NOT_DEFINED", "modifiedAttackRequirements": "NOT_DEFINED", "modifiedAttackVector": "NOT_DEFINED", "modifiedPrivilegesRequired": "NOT_DEFINED", "modifiedSubAvailabilityImpact": "NOT_DEFINED", "modifiedSubConfidentialityImpact": "NOT_DEFINED", "modifiedSubIntegrityImpact": "NOT_DEFINED", "modifiedUserInteraction": "NOT_DEFINED", "modifiedVulnAvailabilityImpact": "NOT_DEFINED", "modifiedVulnConfidentialityImpact": "NOT_DEFINED", "modifiedVulnIntegrityImpact": "NOT_DEFINED", "privilegesRequired": "HIGH", "providerUrgency": "NOT_DEFINED", "subAvailabilityImpact": "HIGH", "subConfidentialityImpact": "HIGH", "subIntegrityImpact": "HIGH", "userInteraction": "ACTIVE", "valueDensity": "NOT_DEFINED", "vectorString": "CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X", "version": "4.0", "vulnAvailabilityImpact": "LOW", "vulnConfidentialityImpact": "LOW", "vulnIntegrityImpact": "LOW", "vulnerabilityResponseEffort": "NOT_DEFINED"}, "source": "security@yugabyte.com", "type": "Secondary"}]}, "published": "2026-02-05T12:16:01.467", "references": [{"source": "security@yugabyte.com", "url": "https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/"}], "sourceIdentifier": "security@yugabyte.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-522"}], "source": "security@yugabyte.com", "type": "Secondary"}]}

{"bugzilla": {"description": "YugabyteDB: YugabyteDB Anywhere: Information disclosure of LDAP bind passwords via web UI", "id": "2437046", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2437046"}, "csaw": false, "cvss3": {"cvss3_base_score": "6.5", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N", "status": "draft"}, "cwe": "CWE-312", "details": ["YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.", "A flaw was found in YugabyteDB Anywhere. This vulnerability allows an authenticated user with access to the configuration view to obtain Lightweight Directory Access Protocol (LDAP) bind passwords. These passwords are displayed in cleartext within the web user interface (UI) when configured via gflags. This information disclosure could potentially enable unauthorized access to external directory services."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability."}, "name": "CVE-2026-1966", "package_state": [{"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "yugabytedb", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "yugabytedb", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-02-05T11:38:28Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-1966\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-1966\nhttps://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/"], "statement": "LOW impact: Authenticated users with access to the configuration view of YugabyteDB Anywhere can obtain LDAP bind passwords displayed in cleartext within the web UI. This information disclosure could lead to unauthorized access to external directory services.", "threat_severity": "Low"}