CVE-2026-1966

YugabyteDB Anywhere Exposes LDAP Credentials in Cleartext in Web UI

CVSS 2.4 LOWEPSS 0.2%CWE-522

Vexday Risk Score

8Low

SSVC decision (CISA)

Track

No exploitation signal → monitor

CVSS 2.4EPSS 0.2%KEV nãoPoC —Nuclei —Metasploit —Patch —

Lifecycle

05 Feb 2026Published on NVD

Recommendation: Monitor — no exploitation signal at the moment.

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

CVSS:4.0/AV:P/AC:H/AT:P/PR:H/UI:A/VC:L/VI:L/VA:L/SC:H/SI:H/SA:H

Affected products

YugabyteDB Inc · YugabyteDB Anywhere

Want to know if your infrastructure is exposed to this?

Talk to TrueHacking →

References

https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/