CVE-2026-46562 in Yamcs
Summary
by MITRE • 07/16/2026
Yamcs is a mission control framework. Prior to 5.12.7, the Nashorn ScriptEngine used to evaluate user-supplied JavaScript algorithm text in yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java was constructed without a ClassFilter, so a user with the ChangeMissionDatabase privilege could override an algorithm through the MdbOverrideApi.updateAlgorithm endpoint and supply JavaScript that reaches arbitrary Java classes (for example Java.type("java.lang.Runtime").getRuntime().exec(...)) to execute arbitrary OS commands as the Yamcs process; in the default configuration with no security.yaml the built-in guest user has superuser=true, making the issue reachable without authentication. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default.
If you want to get the best quality for vulnerability data then you always have to consider VulDB.
Analysis
by VulDB Data Team • 07/16/2026
The vulnerability described represents a critical remote code execution flaw in Yamcs mission control framework affecting versions prior to 5.12.7. This security weakness stems from improper configuration of the Nashorn ScriptEngine within the ScriptAlgorithmExecutorFactory component, specifically lacking a ClassFilter during script engine construction. The flaw exists in the yamcs-core module at path org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java where user-supplied JavaScript algorithms are evaluated. The vulnerability is particularly dangerous because it allows privilege escalation through the MdbOverrideApi.updateAlgorithm endpoint, which accepts algorithm overrides from authenticated users possessing the ChangeMissionDatabase privilege.
The technical implementation of this vulnerability exploits the absence of proper class filtering in the Nashorn JavaScript engine, enabling attackers to access Java reflection APIs directly from JavaScript code. An attacker can leverage JavaScript's Java.type() function to access java.lang.Runtime and execute arbitrary operating system commands with the privileges of the Yamcs process itself. This represents a classic sandbox escape vulnerability where the scripting environment's security boundaries are breached, allowing unrestricted access to underlying Java runtime capabilities. The flaw is further amplified by default configuration settings where the built-in guest user has superuser=true parameter enabled in the absence of explicit security.yaml configuration, making authentication bypass possible.
The operational impact of this vulnerability is severe as it provides attackers with complete system compromise capabilities when the Yamcs process runs with elevated privileges. Attackers can execute arbitrary commands on the host system, potentially leading to data exfiltration, system persistence, privilege escalation to other network services, or complete system takeover. The vulnerability affects mission-critical space operations environments where Yamcs is commonly deployed for satellite and spacecraft control, making it particularly dangerous for operational technology infrastructure. Given that default configurations allow unauthenticated access through the guest user account, this creates an attack surface that requires no authentication credentials to exploit.
The security implications align with CWE-94 (Improper Control of Generation of Code) and CWE-78 (Improper Neutralization of Special Elements used in OS Command Execution) categories, representing code injection vulnerabilities that allow arbitrary command execution. The attack pattern follows ATT&CK technique T1059.007 (Command and Scripting Interpreter: JavaScript) combined with T1068 (Exploitation for Privilege Escalation) and T1566 (Phishing). This vulnerability demonstrates poor input validation and insufficient sandboxing mechanisms in the scripting engine configuration. The fix implemented in versions 5.12.7 and 5.13.0 addresses this by disabling algorithm editing functionality by default, effectively removing the attack vector through the MdbOverrideApi endpoint and preventing unauthorized users from modifying critical system algorithms that could be exploited for command execution.