Summary
CVE-2026-46562 is a critical (CVSS 9.8) unauthenticated Remote Code Execution vulnerability in Yamcs, an open-source mission control framework used for spacecraft command, control, and communication. The flaw resides in the Nashorn ScriptEngine used to evaluate user-supplied JavaScript algorithm text, which was instantiated without a ClassFilter, allowing an attacker to invoke arbitrary Java classes and execute OS commands as the Yamcs process. In Yamcs’s default configuration — where no security.yaml is present — the built-in guest user carries superuser=true privileges, making the vulnerability fully exploitable without any credentials.
Technical details
- Root cause:
ScriptAlgorithmExecutorFactory.makeExecutorinstantiates a NashornScriptEnginewithout aClassFilter, imposing no restriction on which Java classes user-supplied JavaScript may access. - Trigger conditions: An attacker sends a
PATCHrequest to the/api/mdb-overrides/{instance}/{processor}/algorithms/{algorithm}endpoint (MdbOverrideApi.updateAlgorithm), supplying a malicious JavaScript body. The script flows throughAlgorithmManager.overrideAlgorithm→ScriptAlgorithmExecutorFactory.makeExecutor→scriptEngine.eval()with no sandboxing applied. - Unauthenticated access: In the default Yamcs deployment (no
security.yaml), the built-inguestuser hassuperuser=true, so no credentials are needed to reach the vulnerable endpoint and submit an algorithm override. - Attack vector: Remotely exploitable over the network, with no authentication, no user interaction, and no special network conditions required (AV:N/AC:L/PR:N/UI:N).
- Impact: Full OS command execution as the Yamcs JVM process — for example via
Java.type("java.lang.Runtime").getRuntime().exec(...)— enabling arbitrary command execution, file read/write, lateral movement within the network, and potential disruption of spacecraft or ground-station operations.
Affected software
- Yamcs versions 4.7.3 through 5.12.6 (all releases from November 2018 through the latest 5.12.x line)
Severity
CVSS v3.1 base score: 9.8 (Critical)
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Mitigation and recommended actions
- Immediate: Upgrade to Yamcs 5.12.7 or 5.13.0, which disable algorithm editing by default and eliminate the unsandboxed
ScriptEnginecode path. - If immediate patching is not feasible:
- Deploy a
security.yamlconfiguration to revoke the defaultguestsuperuser privilege and enforce authentication on all HTTP API endpoints. - Apply network-level controls to restrict access to the Yamcs HTTP API port (default: 8090) to trusted internal hosts only.
- Deploy a
IONIX Status
The IONIX research team is tracking ongoing exploitation attempts and recommends immediate patching. Potentially affected assets are outlined in this post.

