Copyright © 2012 Red Hat, Inc. All rights reserved. Low 2026-02-05T11:38:28 YugabyteDB: YugabyteDB Anywhere: Information disclosure of LDAP bind passwords via web UI 6.5 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N CWE-312

YugabyteDB Anywhere displays LDAP bind passwords configured via gflags in cleartext within the web UI. An authenticated user with access to the configuration view could obtain LDAP credentials, potentially enabling unauthorized access to external directory services.

A flaw was found in YugabyteDB Anywhere. This vulnerability allows an authenticated user with access to the configuration view to obtain Lightweight Directory Access Protocol (LDAP) bind passwords. These passwords are displayed in cleartext within the web user interface (UI) when configured via gflags. This information disclosure could potentially enable unauthorized access to external directory services.

LOW impact: Authenticated users with access to the configuration view of YugabyteDB Anywhere can obtain LDAP bind passwords displayed in cleartext within the web UI. This information disclosure could lead to unauthorized access to external directory services. Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base, or stability. Red Hat JBoss Enterprise Application Platform 8 Fix deferred yugabytedb Red Hat JBoss Enterprise Application Platform Expansion Pack Fix deferred yugabytedb https://www.cve.org/CVERecord?id=CVE-2026-1966 https://nvd.nist.gov/vuln/detail/CVE-2026-1966 https://docs.yugabyte.com/stable/secure/vulnerability-disclosure-policy/