CVE-2026-46562 PUBLISHED

Yamcs: Remote Code Execution via Mission Database algorithm override

Assigner: GitHub_M
Reserved: 14.05.2026 Published: 16.07.2026 Updated: 16.07.2026

Yamcs is a mission control framework. Prior to 5.12.7, the Nashorn ScriptEngine used to evaluate user-supplied JavaScript algorithm text in yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java was constructed without a ClassFilter, so a user with the ChangeMissionDatabase privilege could override an algorithm through the MdbOverrideApi.updateAlgorithm endpoint and supply JavaScript that reaches arbitrary Java classes (for example Java.type("java.lang.Runtime").getRuntime().exec(...)) to execute arbitrary OS commands as the Yamcs process; in the default configuration with no security.yaml the built-in guest user has superuser=true, making the issue reachable without authentication. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default.

Metrics

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS Score: 9.8

Product Status

Vendor yamcs
Product yamcs
Versions
  • Version < 5.12.7 is affected

References

Problem Types

  • CWE-94: Improper Control of Generation of Code ('Code Injection') CWE
  • CWE-95: Improper Neutralization of Directives in Dynamically Evaluated Code ('Eval Injection') CWE
  • CWE-470: Use of Externally-Controlled Input to Select Classes or Code ('Unsafe Reflection') CWE