External risk intelligence

Yamcs Algorithm Engine Code Injection Vulnerability

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-44632

Yamcs is a mission control framework typically deployed in specialized, restricted environments rather than as a public-facing web service. While it exposes a REST API that could be network-accessible, it is designed for controlled operational use, making broad public internet exposure less common than typical web applications.

Code Injection

Halo Surface Signal: 3 out of 5 — possibly public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability has been identified in the Yamcs mission control framework that could allow an authenticated user to execute arbitrary code on the underlying operating system. This could potentially lead to unauthorized access or control of critical systems. The main concern is confirming relevance and exposure given the specialized nature of the technology.

  • Code injection flaw in mission control software.
  • Could allow unauthorized code execution.
  • Confirm relevance and exposure for critical systems.

Attack Path

How an attacker could exploit the issue

An attacker with the ability to modify mission database entries could inject malicious Java code by altering algorithm text through the mission database REST API. This code would then be compiled and executed on the server, potentially leading to full control of the underlying operating system.

  • Authenticated user with privilege.
  • Override algorithm text via REST API.
  • Remote code execution on host.

Live Threat

Current exploitation, exposure, and threat context

An authenticated user with the "ChangeMissionDatabase" privilege could inject Java code into the Yamcs algorithm evaluation engine, potentially leading to remote code execution on the underlying host operating system when the mission database REST API is accessible.

  • Host operating system code execution.
  • Overriding algorithm text via REST API.
  • Compromise of the underlying host.

Operational Fix

Recommended remediation, mitigation, and detection steps

Real-world remediation likely falls to the platform or infrastructure teams managing the Yamcs environment, in coordination with application owners and potentially vendor management if the platform is externally hosted or managed. The first practical step is to identify all Yamcs instances, determine their network exposure and criticality, confirm the accountable owner for each instance, and then prioritize remediation efforts based on risk and operational impact.

  • Platform/App owners should address.
  • Verify Yamcs instance exposure and criticality.
  • Plan remediation during maintenance windows.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Yamcs?

Yamcs is a specialized software framework used for mission control operations. It acts as a centralized system to process telemetry, manage mission databases, and monitor complex equipment or satellite data streams, often functioning as the core engine that links operators to mission hardware.

What does CWE-94 mean for CVE-2026-44632?

CWE-94 refers to improper control of code generation, commonly known as code injection. In this CVE, the vulnerability allows the software to treat user-provided text as executable instructions. Because the evaluation engine compiles this input without a secure sandbox, an attacker can trick the system into running unauthorized Java code.

How is this Yamcs vulnerability triggered?

An attacker must have the specific 'ChangeMissionDatabase' privilege to modify algorithm text via the mission database REST API. Simply accessing the network or the Yamcs interface is not enough; the attacker must already possess the administrative authorization required to alter the system's internal mission database logic.

Is my Yamcs instance at risk?

Halo Surface Signal indicates that Yamcs is typically deployed in restricted, specialized environments rather than as a public-facing web service. You should evaluate if your specific instance is network-accessible. If your deployment is tightly isolated from broader networks, the practical risk is lower, though internal access still presents a concern.

How do I secure my environment?

The primary response is to update your Yamcs instance to version 5.12.7 or 5.13.0, which disables algorithm editing by default. Begin by cataloging all running instances to determine which are critical or network-exposed, then coordinate with your infrastructure and application teams to schedule the update during your next maintenance window.

References