PatchSiren cyber security CVE debrief
CVE-2026-46621 yamcs CVE debrief
A critical vulnerability was discovered in Yamcs, a mission control framework. An authenticated user with the ChangeMissionDatabase privilege could exploit this vulnerability to achieve remote code execution on the underlying host operating system. The issue is fixed in versions 5.12.7 and 5.13.0. The vulnerability allows an attacker to override an existing Python algorithm's logic through the mission database REST API and import and execute arbitrary Java classes such as java.lang.Runtime. This could lead to a significant impact on the security of the system.
- Vendor
- yamcs
- Product
- Unknown
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-07-16
- Original CVE updated
- 2026-07-16
- Advisory published
- 2026-07-16
- Advisory updated
- 2026-07-16
Who should care
Users of Yamcs versions prior to 5.12.7 or 5.13.0 should apply the patches immediately to prevent potential remote code execution attacks. This includes operators, administrators, and security teams responsible for managing and securing Yamcs systems. Additionally, vulnerability management teams should review the CVE record and assess the risk to their organization.
Technical summary
The Yamcs script evaluation engine for Python algorithms dynamically compiled and evaluated user-controlled algorithm text using Jython through the JSR-223 ScriptEngine API without enforcing a secure sandbox. This allowed an authenticated user with the ChangeMissionDatabase privilege to override an existing Python algorithm's logic through the mission database REST API and import and execute arbitrary Java classes such as java.lang.Runtime to achieve remote code execution on the underlying host operating system. The vulnerability is fixed in versions 5.12.7 and 5.13.0.
Defensive priority
High
Recommended defensive actions
- Apply patches to upgrade to Yamcs version 5.12.7 or 5.13.0
- Restrict access to the mission database REST API
- Monitor for suspicious activity on the Yamcs system
- Review compensating controls for exposed systems while remediation is scheduled and verified
- Check relevant monitoring, detection, and logs for exposed assets that need extra review
- Track exceptions, retest remediated assets, and close the item only after evidence is documented
- Confirm whether affected product deployments exist in managed environments and assign an owner for follow-up
Evidence notes
The CVE record was published on 2026-07-16T17:16:57.090Z and has not been modified since then. The NVD entry is currently Undergoing Analysis. There is limited information available about the vulnerability, and defenders should verify the affected scope and severity with the vendor. The CVE record does not provide additional details about the vulnerability, and its impact is not well understood.
Official resources
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-07-16T17:16:57.090Z and has not been modified since then.