CVE-2026-44632
Awaiting Analysis Awaiting Analysis - Queue

Code Injection in Yamcs Mission Control Framework

Vulnerability report for CVE-2026-44632, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Yamcs is a mission control framework. Prior to 5.12.7, a server-side code injection vulnerability existed in the Yamcs algorithm evaluation engine org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory, which dynamically compiled and evaluated user-controlled algorithm text through the Janino compiler without enforcing a secure sandbox, so an authenticated user with the ChangeMissionDatabase privilege could override an existing algorithm's text via the mission database REST API and inject Java code (for example using java.lang.Runtime) to achieve remote code execution on the underlying host operating system. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
yamcs yamcs to 5.12.7 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-44632 is a server-side code injection vulnerability in the Yamcs mission control framework. It allows authenticated users with the ChangeMissionDatabase privilege to inject malicious Java code into algorithms via the mission database REST API. The system dynamically compiles and executes this user-controlled code without a secure sandbox, enabling remote code execution on the host operating system.

Detection Guidance

Check if Yamcs is running a vulnerable version (prior to 5.12.7) by inspecting the version in logs or configuration files. Look for unauthorized algorithm modifications in Yamcs logs, particularly HTTP PATCH requests to the MDB override endpoint. Monitor for unexpected Java code execution or system command invocations in Yamcs process logs.

Impact Analysis

An attacker could exploit this to gain full control over the Yamcs server and underlying host system. This could lead to arbitrary command execution, data theft, or lateral movement within the network. The impact includes complete system compromise, potential data breaches, and disruption of mission-critical operations.

Compliance Impact

This vulnerability could lead to severe compliance violations. GDPR requires protecting personal data; a breach could result in fines up to 4% of global revenue. HIPAA mandates safeguarding health data; a compromise could lead to penalties and loss of trust. The vulnerability enables data exfiltration, violating confidentiality requirements in both standards.

Mitigation Strategies

Upgrade Yamcs to version 5.12.7 or later where algorithm editing is disabled by default. If upgrading is not possible, disable the overrideAlgorithmsEnabled configuration option in Yamcs settings to prevent algorithm modifications. Ensure only trusted users have the ChangeMissionDatabase privilege and monitor for any unauthorized access attempts.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-44632. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart