CVE-2026-2586
Java Análisis y mitigación de vulnerabilidades

Vista general

CVE-2026-2586 is an authenticated Remote Code Execution (RCE) vulnerability in Eclipse GlassFish's Administration Console. A user with access to the administration panel can send crafted requests to execute arbitrary operating system commands with the privileges of the application service user. The vulnerability affects Eclipse GlassFish versions prior to 8.0.2 and the Maven package org.glassfish.jsftemplating:jsftemplating versions prior to 4.2.0. It was published on May 19, 2026, and carries a CVSS v3.1 base score of 9.1 (Critical) (GitHub Advisory, Eclipse CVE Assignment).

Técnicas

The vulnerability is classified under CWE-94 (Improper Control of Generation of Code / Code Injection) and CWE-917 (Expression Language Injection), indicating that user-supplied input is improperly handled within the GlassFish Administration Console, allowing it to influence code or expression language execution (GitHub Advisory). The attack vector is network-based with low attack complexity, requiring high privileges (administrative console access) and no user interaction. The scope is marked as "Changed," meaning successful exploitation can impact resources beyond the vulnerable component itself. Specific technical details about the vulnerable endpoint or payload structure have not been publicly disclosed in available sources (Eclipse CVE Assignment).

Impacto

Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands with the privileges of the GlassFish application service user, resulting in high impact to confidentiality, integrity, and availability of the affected system. This could lead to full system compromise, unauthorized access to sensitive application data, modification or destruction of data, and potential lateral movement within the network if the service account has broad permissions. The "Changed" scope in the CVSS rating indicates that the impact can extend beyond the GlassFish application itself to other system resources (GitHub Advisory).

Mitigación y soluciones alternativas

Eclipse has released patched versions to address this vulnerability: upgrade to GlassFish 8.0.2 or later, and update the Maven package org.glassfish.jsftemplating:jsftemplating to version 4.2.0 or later (GitHub Advisory, GlassFish Release). As interim mitigations, restrict network access to the GlassFish Administration Console to trusted administrators only (e.g., via firewall rules or VPN), enforce strong authentication controls for administrative accounts, and monitor administrative interfaces for suspicious activity. Disabling or isolating the Administration Console if not required is also recommended.

Reacciones de la comunidad

The vulnerability was noted in a blog post by OmniFish covering the GlassFish 8.0.2 release, which highlighted the security fixes included in the update (OmniFish Blog). The CISA vulnerability bulletin SB26-145 also referenced this CVE, indicating it received attention from U.S. government cybersecurity authorities (CISA Bulletin). No significant independent researcher commentary or social media discussion has been identified beyond standard vulnerability tracking aggregators.

Recursos adicionales


FuenteEste informe se generó utilizando IA

Relacionado Java Vulnerabilidades:

CVE ID

Severidad

Puntuación

Tecnologías

Nombre del componente

Exploit de CISA KEV

Tiene arreglo

Fecha de publicación

CVE-2026-50270HIGH7.5
  • Java logoJava
  • com.datadoghq:dd-java-agent
NoJul 15, 2026
CVE-2026-59955HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoJul 15, 2026
CVE-2026-59954HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoNoJul 15, 2026
CVE-2026-44891HIGH7.5
  • Java logoJava
  • pinot
NoJul 14, 2026
CVE-2025-32781MEDIUM6.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NoJul 15, 2026

Evaluación gratuita de vulnerabilidades

Compare su postura de seguridad en la nube

Evalúe sus prácticas de seguridad en la nube en 9 dominios de seguridad para comparar su nivel de riesgo e identificar brechas en sus defensas.

Solicitar evaluación

Recursos adicionales de Wiz

Obtén una demostración personalizada

¿Listo para ver a Wiz en acción?

"La mejor experiencia de usuario que he visto en mi vida, proporciona una visibilidad completa de las cargas de trabajo en la nube."
David EstlickCISO
"Wiz proporciona un panel único para ver lo que ocurre en nuestros entornos en la nube."
Adam FletcherJefe de Seguridad
"Sabemos que si Wiz identifica algo como crítico, en realidad lo es."
Greg PoniatowskiJefe de Gestión de Amenazas y Vulnerabilidades