Severity: High
CVE ID: CVE-2026-12266
Affected Software Version(s): DDI Central 6.2.0 / Build 6200
Fixed Version: Build 6201
Fixed on: June 18, 2026
Details:
The ManageEngine DDI Central 6.2.0 build 6200 had a high severity vulnerability where LDAP authentication configuration details, including the LDAP bind password, could be exposed to authenticated users due to insufficient access control in the LDAP settings API.
The vulnerability has been fixed by enforcing proper authorization for the LDAP settings retrieval API and ensuring that LDAP credentials are no longer returned in API responses.
Impact:
This flaw could allow authenticated users to view sensitive LDAP configuration details, including the LDAP bind password, which could expose directory service credentials and related authentication configuration information.
Steps to upgrade:
Update your DDI Central Console and Node Agent instances to the latest build 6201 using the service pack.
Acknowledgements:
This issue was reported by C&N.