CVE-2026-2586
Java Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-2586 is an authenticated Remote Code Execution (RCE) vulnerability in Eclipse GlassFish's Administration Console. A user with access to the administration panel can send crafted requests to execute arbitrary operating system commands with the privileges of the application service user. The vulnerability affects Eclipse GlassFish versions prior to 8.0.2 and the Maven package org.glassfish.jsftemplating:jsftemplating versions prior to 4.2.0. It was published on May 19, 2026, and carries a CVSS v3.1 base score of 9.1 (Critical) (GitHub Advisory, Eclipse CVE Assignment).

Détails techniques

The vulnerability is classified under CWE-94 (Improper Control of Generation of Code / Code Injection) and CWE-917 (Expression Language Injection), indicating that user-supplied input is improperly handled within the GlassFish Administration Console, allowing it to influence code or expression language execution (GitHub Advisory). The attack vector is network-based with low attack complexity, requiring high privileges (administrative console access) and no user interaction. The scope is marked as "Changed," meaning successful exploitation can impact resources beyond the vulnerable component itself. Specific technical details about the vulnerable endpoint or payload structure have not been publicly disclosed in available sources (Eclipse CVE Assignment).

Impact

Successful exploitation allows an authenticated attacker to execute arbitrary operating system commands with the privileges of the GlassFish application service user, resulting in high impact to confidentiality, integrity, and availability of the affected system. This could lead to full system compromise, unauthorized access to sensitive application data, modification or destruction of data, and potential lateral movement within the network if the service account has broad permissions. The "Changed" scope in the CVSS rating indicates that the impact can extend beyond the GlassFish application itself to other system resources (GitHub Advisory).

Atténuation et solutions de contournement

Eclipse has released patched versions to address this vulnerability: upgrade to GlassFish 8.0.2 or later, and update the Maven package org.glassfish.jsftemplating:jsftemplating to version 4.2.0 or later (GitHub Advisory, GlassFish Release). As interim mitigations, restrict network access to the GlassFish Administration Console to trusted administrators only (e.g., via firewall rules or VPN), enforce strong authentication controls for administrative accounts, and monitor administrative interfaces for suspicious activity. Disabling or isolating the Administration Console if not required is also recommended.

Réactions de la communauté

The vulnerability was noted in a blog post by OmniFish covering the GlassFish 8.0.2 release, which highlighted the security fixes included in the update (OmniFish Blog). The CISA vulnerability bulletin SB26-145 also referenced this CVE, indicating it received attention from U.S. government cybersecurity authorities (CISA Bulletin). No significant independent researcher commentary or social media discussion has been identified beyond standard vulnerability tracking aggregators.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Java Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-50270HIGH7.5
  • Java logoJava
  • com.datadoghq:dd-java-agent
NonOuiJul 15, 2026
CVE-2026-59955HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026
CVE-2026-59954HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonNonJul 15, 2026
CVE-2026-44891HIGH7.5
  • Java logoJava
  • pinot
NonOuiJul 14, 2026
CVE-2025-32781MEDIUM6.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités