CVE-2026-46621
Awaiting Analysis Awaiting Analysis - Queue

Remote Code Execution in Yamcs Script Evaluation Engine

Vulnerability report for CVE-2026-46621, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-16

Last updated on: 2026-07-16

Assigner: GitHub, Inc.

Description

Yamcs is a mission control framework. Prior to 5.12.7, the Yamcs script evaluation engine for Python algorithms dynamically compiled and evaluated user-controlled algorithm text using Jython through the JSR-223 ScriptEngine API without enforcing a secure sandbox, so an authenticated user with the ChangeMissionDatabase privilege could override an existing Python algorithm's logic through the mission database REST API and import and execute arbitrary Java classes such as java.lang.Runtime to achieve remote code execution on the underlying host operating system. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-16
Last Modified
2026-07-16
Generated
2026-07-16
AI Q&A
2026-07-16
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 4 associated CPEs
Vendor Product Version / Range
yamcs yamcs to 5.12.7 (exc)
yamcs yamcs 5.12.7
yamcs yamcs 5.13.0
yamcs yamcs to 5.13.0 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This is an authenticated remote code execution (RCE) vulnerability in Yamcs versions before 5.13.0 and 5.12.7. The script evaluation engine for Python algorithms uses Jython without a secure sandbox, allowing authenticated users with ChangeMissionDatabase privilege to inject malicious code via the REST API. This can lead to arbitrary Java class execution like java.lang.Runtime, enabling OS command execution.

Detection Guidance

To detect this vulnerability, check if your Yamcs instance is running a version before 5.12.7 or 5.13.0. Review logs for suspicious PATCH requests to the mission database REST API modifying Python algorithms. Look for unauthorized imports of java.lang.Runtime or other Java classes in algorithm scripts.

Impact Analysis

An attacker with ChangeMissionDatabase privilege could execute arbitrary commands on the host system, leading to full system compromise. This includes data theft, unauthorized access, and potential lateral movement within the network. The impact is severe due to the ability to run OS-level commands.

Compliance Impact

This vulnerability could lead to unauthorized data access or exfiltration, violating GDPR's data protection requirements and HIPAA's safeguards for protected health information. Non-compliance risks include legal penalties, reputational damage, and loss of trust.

Mitigation Strategies

Immediately upgrade Yamcs to version 5.12.7, 5.13.0, or later. Disable algorithm editing by default if not required. Restrict the ChangeMissionDatabase privilege to trusted users only. Monitor for any unauthorized modifications to Python algorithms.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-46621. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart