CVE-2026-50889: An input handling flaw in the HTTP refresh token process of LLDAP v0
An input handling flaw in the HTTP refresh token process of LLDAP v0.6.2 allows attackers to cause a Denial of Service (DoS) via sending a crafted refresh-token header.
Metrics
- CVSS v3.1
- 7.5
- Severity
- HIGH
- Fixed in
- —
- Affected Products
- 1
HarborGuard Analysis
Synopsis
A denial-of-service vulnerability exists in the HTTP refresh token handler of LLDAP v0.6.2. The flaw is reachable over the network without any authentication, meaning any attacker who can send HTTP requests to the service can trigger it. Successful exploitation crashes or hangs the LLDAP process, making the authentication service unavailable to all dependent applications. HarborGuard is tracking this advisory and will make a patched-image rebuild available the moment an upstream fix is published.
HarborGuard Coverage
Detection of CVE-2026-50889 is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that package LLDAP v0.6.2. Any image in a connected registry or CI pipeline that contains the affected version will surface in scan results automatically.
AvailableHarborGuard is capable of scoring this finding at CVSS 7.5 (HIGH) and weighting it further against each environment's compliance policy before routing the alert to the appropriate team inbox. Per-environment policy configuration determines whether the finding blocks a pipeline gate or generates an advisory-only notification.
AvailableBecause no upstream fix version has been published yet, HarborGuard re-checks this advisory on every ingest cycle and will make a patched-image rebuild available automatically the moment a fix is released. Until then, the finding remains open and prominently flagged in each environment where the affected image is present.
Pending upstreamExploit Conditions
- Network reachabilityRequired
The vulnerable HTTP refresh token endpoint is exposed over the network, so an attacker must be able to send HTTP requests to the LLDAP service.
- AuthenticationNot required
No credentials or session token are needed; the malformed refresh-token header can be sent by any unauthenticated caller.
- Victim interactionNot required
The attacker sends a crafted request directly to the service; no user action or social engineering is involved.
- Attack complexityDetail
Exploit conditions are straightforward and reliable, with no race conditions or special environmental factors required to trigger the fault.
Blast Radius
- Crashes or hangs the LLDAP authentication service, making it unable to process any login or token requests.
- All applications and services that depend on LLDAP for authentication lose access to identity resolution until the process is restarted.
- Repeated delivery of the crafted header can sustain the outage across restart cycles, keeping the service unavailable indefinitely.
How HarborGuard Handles This
Available on HarborGuard: scanning for CVE-2026-50889 is active now, and any image containing LLDAP v0.6.2 will be flagged in scan results for all connected registries and pipelines. Because no upstream patch exists yet, HarborGuard monitors the advisory on every ingest cycle and will surface a patched-image rebuild automatically once a fix version is published. In the interim, customers are advised to consider network-policy controls that restrict which services and source addresses can reach the LLDAP HTTP endpoint, reducing exposure to unauthenticated callers. Egress and ingress filtering at the Kubernetes network-policy or service-mesh layer can serve as a compensating control while the upstream project prepares a fix.
- n/a / n/an/a
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H