Description
Yamcs is a mission control framework. Prior to 5.12.7, the Nashorn ScriptEngine used to evaluate user-supplied JavaScript algorithm text in yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java was constructed without a ClassFilter, so a user with the ChangeMissionDatabase privilege could override an algorithm through the MdbOverrideApi.updateAlgorithm endpoint and supply JavaScript that reaches arbitrary Java classes (for example Java.type("java.lang.Runtime").getRuntime().exec(...)) to execute arbitrary OS commands as the Yamcs process; in the default configuration with no security.yaml the built-in guest user has superuser=true, making the issue reachable without authentication. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default.
No analysis available yet.
Remediation
No remediation available yet.
Tracking
Sign in to view the affected projects.
Advisories
| Source | ID | Title |
|---|---|---|
Github GHSA |
GHSA-vmwp-vh32-rj75 | Yamcs Vulnerable to Remote Code Execution via Mission Database algorithm override |
References
History
Thu, 16 Jul 2026 17:45:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| First Time appeared |
Yamcs
Yamcs yamcs |
|
| Vendors & Products |
Yamcs
Yamcs yamcs |
Thu, 16 Jul 2026 16:30:00 +0000
| Type | Values Removed | Values Added |
|---|---|---|
| Description | Yamcs is a mission control framework. Prior to 5.12.7, the Nashorn ScriptEngine used to evaluate user-supplied JavaScript algorithm text in yamcs-core/src/main/java/org/yamcs/algorithms/ScriptAlgorithmExecutorFactory.java was constructed without a ClassFilter, so a user with the ChangeMissionDatabase privilege could override an algorithm through the MdbOverrideApi.updateAlgorithm endpoint and supply JavaScript that reaches arbitrary Java classes (for example Java.type("java.lang.Runtime").getRuntime().exec(...)) to execute arbitrary OS commands as the Yamcs process; in the default configuration with no security.yaml the built-in guest user has superuser=true, making the issue reachable without authentication. This issue is fixed in versions 5.12.7 and 5.13.0, which disable algorithm editing by default. | |
| Title | Yamcs: Remote Code Execution via Mission Database algorithm override | |
| Weaknesses | CWE-470 CWE-94 CWE-95 |
|
| References |
|
|
| Metrics |
cvssV3_1
|
Status: PUBLISHED
Assigner: GitHub_M
Published:
Updated: 2026-07-16T16:06:39.148Z
Reserved: 2026-05-14T20:42:31.370Z
Link: CVE-2026-46562
No data.
No data.
No data.
OpenCVE Enrichment
Updated: 2026-07-16T17:30:03Z
Github GHSA