CVE-2026-46562
Awaiting Analysis Awaiting Analysis - Queue

Command Injection in Yamcs Mission Control Framework

Vulnerability report for CVE-2026-46562, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Yamcs is a mission control framework. Prior to 5.12.7, the Nashorn ScriptEngine used to evaluate user-supplied JavaScript algorithm text in yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java was constructed without a ClassFilter, so a user with the ChangeMissionDatabase privilege could override an algorithm through the MdbOverrideApi.updateAlgorithm endpoint and supply JavaScript that reaches arbitrary Java classes (for example Java.type("java.lang.Runtime").getRuntime().exec(...)) to execute arbitrary OS commands as the Yamcs process; in the default configuration with no security.yaml the built-in guest user has superuser=true, making the issue reachable without authentication. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 3 associated CPEs
Vendor Product Version / Range
yamcs yamcs to 5.12.7 (exc)
yamcs yamcs 5.12.7
yamcs yamcs 5.13.0

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-95 The product receives input from an upstream component, but it does not neutralize or incorrectly neutralizes code syntax before using the input in a dynamic evaluation call (e.g. "eval").
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-470 The product uses external input with reflection to select which classes or code to use, but it does not sufficiently prevent the input from selecting improper classes or code.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

CVE-2026-46562 is a critical remote code execution vulnerability in Yamcs, a mission control system. It allows an attacker with the ChangeMissionDatabase privilege to execute arbitrary Java code on the Yamcs server by overriding a mission database algorithm. The issue occurs because the Nashorn ScriptEngine used to evaluate user-supplied JavaScript lacks a ClassFilter, enabling access to Java classes like java.lang.Runtime for OS command execution.

Detection Guidance

Check Yamcs server logs for suspicious PATCH requests to /api/mdb-overrides/{instance}/{processor}/algorithms/{name} endpoints. Inspect ScriptAlgorithmExecutorFactory.java for Nashorn engine initialization without ClassFilter. Monitor for unexpected JavaScript algorithm overrides or OS command execution traces in Yamcs process logs.

Impact Analysis

This vulnerability allows attackers to execute arbitrary commands on the Yamcs server, read sensitive files, pivot to other systems, and disrupt mission operations. In default configurations without security.yaml, even unauthenticated users (guest) can exploit it due to superuser privileges. Attackers can silently compromise the system without triggering event logs.

Compliance Impact

This vulnerability likely violates compliance requirements for GDPR and HIPAA due to unauthorized code execution and potential data breaches. It enables attackers to access sensitive mission data or personal information, leading to regulatory penalties for inadequate security controls.

Mitigation Strategies

Upgrade Yamcs to version 5.12.7 or 5.13.0 or later. Disable algorithm editing in security.yaml if not required. Remove ChangeMissionDatabase privilege from non-admin users. Block unauthenticated guest user access if using default configurations. Monitor for unauthorized algorithm modifications.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46562. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart