
PEACH
Un cadre d’isolation des locataires
CVE-2026-2586 is an authenticated Remote Code Execution (RCE) vulnerability in Eclipse GlassFish's Administration Console. A user with access to the administration panel can send crafted requests to execute arbitrary operating system commands with the privileges of the application service user. The vulnerability affects Eclipse GlassFish versions prior to 8.0.2 and the Maven package org.glassfish.jsftemplating:jsftemplating versions prior to 4.2.0. It was published on May 19, 2026, and carries a CVSS v3.1 base score of 9.1 (Critical) (GitHub Advisory, Eclipse CVE Assignment).
The vulnerability is classified under CWE-94 (Improper Control of Generation of Code / Code Injection) and CWE-917 (Expression Language Injection), indicating that user-supplied input is improperly handled within the GlassFish Administration Console, allowing it to influence code or expression language execution (GitHub Advisory). The attack vector is network-based with low attack complexity, requiring high privileges (administrative console access) and no user interaction. The scope is marked as "Changed," meaning successful exploitation can impact resources beyond the vulnerable component itself. Specific technical details about the vulnerable endpoint or payload structure have not been publicly disclosed in available sources (Eclipse CVE Assignment).
Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands with the privileges of the GlassFish application service user, resulting in high impact to confidentiality, integrity, and availability of the affected system. This could lead to full system compromise, unauthorized access to sensitive application data, modification or destruction of data, and potential lateral movement within the network if the service account has broad permissions. The "Changed" scope in the CVSS rating indicates that the impact can extend beyond the GlassFish application itself to other system resources (GitHub Advisory).
Eclipse has released patched versions to address this vulnerability: upgrade to GlassFish 8.0.2 or later, and update the Maven package org.glassfish.jsftemplating:jsftemplating to version 4.2.0 or later (GitHub Advisory, GlassFish Release). As interim mitigations, restrict network access to the GlassFish Administration Console to trusted administrators only (e.g., via firewall rules or VPN), enforce strong authentication controls for administrative accounts, and monitor administrative interfaces for suspicious activity. Disabling or isolating the Administration Console if not required is also recommended.
The vulnerability was noted in a blog post by OmniFish covering the GlassFish 8.0.2 release, which highlighted the security fixes included in the update (OmniFish Blog). The CISA vulnerability bulletin SB26-145 also referenced this CVE, indicating it received attention from U.S. government cybersecurity authorities (CISA Bulletin). No significant independent researcher commentary or social media discussion has been identified beyond standard vulnerability tracking aggregators.
Source: Ce rapport a été généré à l’aide de l’IA
Évaluation gratuite des vulnérabilités
Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.
Obtenez une démo personnalisée
"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."