External risk intelligence

YAMCS Nashorn Scripting Command Execution Vulnerability.

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-46562

Yamcs is a mission control framework that exposes management and mission database endpoints. In default configurations, these services are often accessible over the network to facilitate control and monitoring. Since the vulnerability resides in an API endpoint reachable without authentication, it constitutes an externally reachable management surface common in these deployments.

Code Injection

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A vulnerability in the Yamcs mission control framework could allow unauthorized users to execute arbitrary operating system commands. This stems from the improper handling of user-supplied JavaScript, potentially enabling attackers to gain control over the Yamcs process. While fixes are available, confirming relevance and exposure is the primary concern.

  • Allows code execution on Yamcs systems.
  • Affects mission control operations at a high level.
  • Confirm if your mission control is exposed.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this by leveraging the ability to update algorithms through the MdbOverrideApi.updateAlgorithm endpoint. By providing specially crafted JavaScript code, an attacker can execute arbitrary operating system commands with the privileges of the Yamcs process. In default configurations, this vulnerability is reachable without any prior authentication, allowing unauthenticated attackers to compromise the system.

  • Unauthenticated network access to API.
  • Overriding algorithms with malicious JavaScript.
  • Arbitrary OS command execution.

Live Threat

Current exploitation, exposure, and threat context

When supported by the advisory, a user with the ChangeMissionDatabase privilege could override algorithms with malicious JavaScript. This could lead to the execution of arbitrary operating system commands as the Yamcs process, especially in default configurations where the guest user has superuser privileges and no authentication is required.

  • Arbitrary OS command execution.
  • Via unauthenticated API endpoint.
  • Compromise of Yamcs process.

Operational Fix

Recommended remediation, mitigation, and detection steps

The Yamcs mission control framework's security flaw requires action from teams responsible for its operation, particularly those managing the mission control infrastructure and any application owners who have customized its JavaScript algorithm functionality. The immediate first step is to determine the extent of Yamcs deployment, identify its business criticality, and locate the specific system owners. This will enable a risk-based approach to remediation, considering factors like network reachability and authentication requirements.

  • Ownership: Mission control platform and application owners.
  • Verify: Yamcs deployment and network reachability.
  • Action: Plan risk-based remediation or vendor coordination.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Yamcs?

Yamcs is a mission control framework designed for space mission operations. It serves as a central hub for telemetry processing, command generation, and archiving, allowing operators to monitor and interact with space hardware through a mission database.

How does this CVE-2026-46562 vulnerability work?

This issue is categorized under CWE-94, CWE-95, and CWE-470, which involve improper control of code generation and external input. The software uses a script engine to run JavaScript algorithms but fails to restrict access to underlying system functions. This allows a user to provide malicious script code that escapes the intended sandbox to execute arbitrary operating system commands directly on the server running Yamcs.

Does this require special access to trigger?

In the default configuration, the flaw does not require any prior authentication or special user privileges. The vulnerability is triggered by sending specially crafted input to the mission database update API. If you have customized your security settings to disable the default guest superuser account, the risk profile changes, but the core logic flaw in the script execution remains.

How relevant is this to my network security?

According to Halo Surface Signal, this vulnerability is considered highly relevant for most deployments. Because Yamcs is a mission control platform, it is often configured to be reachable over the network for monitoring and management purposes. If your instance is exposed to the network, the management API endpoint is likely accessible to an attacker without requiring a login.

Is an update available to fix this?

Yes, you should prioritize upgrading to version 5.12.7 or 5.13.0. These versions address the issue by disabling algorithm editing by default, which removes the path for this command execution. As a first step, confirm your current version number and identify the system owners responsible for mission control infrastructure to coordinate this update.

References