CVE-2026-13696: HAVELSAN Liman MYS LDAP Injection Vulnerability
A high-severity LDAP injection vulnerability, tracked as CVE-2026-13696 with a CVSS v3.1 base score of 8.8, affects HAVELSAN Inc.'s Liman MYS versions prior to release.Master.1107, allowing attackers to bypass authentication or exfiltrate sensitive data via improper neutralization of special characters in LDAP queries.
A critical LDAP injection vulnerability, identified as CVE-2026-13696, has been discovered in HAVELSAN Inc.'s Liman MYS administrative management system. This flaw stems from improper neutralization of special characters within LDAP queries, allowing attackers to manipulate or inject malicious LDAP statements. Such an injection could lead to unauthorized authentication bypass, data exfiltration from the LDAP directory, or alteration of user and group information. The vulnerability affects all versions of Liman MYS prior to release.Master.1107. With a CVSS v3.1 Base Score of 8.8, this vulnerability poses a significant risk, as successful exploitation could grant attackers extensive control over user management and potentially lead to broader system compromise. This issue was published on 2026-07-07, and organizations using affected versions are urged to apply the patch immediately to mitigate these severe risks.
Impact
Successful exploitation of CVE-2026-13696 could allow an unauthenticated attacker to bypass authentication mechanisms, gain unauthorized access to the Liman MYS system, and potentially the underlying LDAP directory. This could lead to information disclosure, unauthorized modification of user accounts, groups, and permissions, or even full administrative compromise of the directory service. The highly sensitive nature of LDAP directories means that compromise could have widespread effects on user management, access control across multiple integrated systems, and lead to significant data breaches or operational disruption.
Recommendation
- Patch CVE-2026-13696 on all HAVELSAN Inc. Liman MYS instances immediately by upgrading to
release.Master.1107or later.