CVE-2026-2587
Java Analyse et atténuation des vulnérabilités

Aperçu

CVE-2026-2587 is a critical Remote Code Execution (RCE) vulnerability in the server-side template rendering mechanism of Eclipse GlassFish's gadget handler, classified as an Expression Language (EL) Injection (CWE-917). The vulnerability affects org.glassfish.jsftemplating:jsftemplating versions before 4.2.0 and org.glassfish.main.admingui:admingui versions before 8.0.2 (Eclipse GlassFish before 8.0.2). It was published on May 19, 2026, with a patch released the same day. The CVSS v3.1 base score is 9.6 (Critical) (GitHub Advisory, Eclipse CVE Assignment).

Détails techniques

The root cause is improper neutralization of special elements in Expression Language statements (CWE-917) within GlassFish's gadget handler. The application processes .xml files and evaluates user-supplied values in a context where EL expressions (e.g., #{7*7}) are resolved server-side without sanitization or escaping. An attacker can inject malicious EL expressions into XML gadget parameters, which are then evaluated by the server, confirming RCE when the server returns the computed result (e.g., 49). A public PoC exploit script (CVE-2026-2587-Exploit-POC.py) is available that authenticates to the admin console, hosts a malicious XML probe with an EL canary, triggers the gadget.jsf endpoint, and confirms RCE (GitHub Advisory, PoC GitHub).

Impact

Successful exploitation allows a remote attacker to fully compromise the underlying host running GlassFish. Consequences include arbitrary command execution, reading and modifying sensitive data, establishing persistence on the compromised system, and lateral movement within the broader infrastructure. All three security pillars — confidentiality, integrity, and availability — are rated High, and the changed scope indicates impact can extend beyond the vulnerable component itself (GitHub Advisory, Eclipse CVE Assignment).

Étapes d’exploitation

  1. Reconnaissance: Identify internet-facing GlassFish instances (versions before 8.0.2) using tools like Shodan or Censys, targeting exposed admin console ports (default: 4848) or the gadget.jsf endpoint.
  2. Authentication: Authenticate to the GlassFish admin console using valid credentials (the PoC supports --username and --password parameters; default or weak credentials may be targeted).
  3. Host malicious XML probe: Set up a local HTTP server (built into the PoC script via --listen) to serve a crafted .xml file containing an EL canary expression such as #{7*7}.
  4. Trigger gadget handler: Send a request to the gadget.jsf endpoint with a parameter pointing to the attacker-controlled XML file URL (--callback-url), causing the server to fetch and process the malicious XML.
  5. Confirm EL evaluation: Verify that the server evaluates the EL expression server-side (e.g., returns 49 for #{7*7}), confirming RCE capability.
  6. Execute arbitrary commands: Replace the canary EL expression with a malicious payload (e.g., #{Runtime.getRuntime().exec('...')}) to execute arbitrary OS commands, establish a reverse shell, exfiltrate data, or deploy persistence mechanisms (PoC GitHub, GitHub Advisory).

Indicateurs de compromis

  • Network: Unusual HTTP requests to the gadget.jsf endpoint with parameters referencing external URLs; outbound HTTP connections from the GlassFish server to attacker-controlled hosts (used to fetch malicious XML files); unexpected outbound connections on non-standard ports (reverse shell activity).
  • Logs: GlassFish access logs showing requests to /gadget.jsf or similar endpoints with external URL parameters; server-side EL evaluation errors or unexpected numeric outputs (e.g., 49) in application logs; authentication events from unfamiliar IP addresses against the admin console.
  • File System: Unexpected .xml files or web shells written to the GlassFish deployment or temp directories; new cron jobs, scheduled tasks, or startup scripts created by the GlassFish service account.
  • Process: Unusual child processes spawned by the GlassFish JVM process (e.g., bash, sh, cmd.exe, curl, wget, python, nc); unexpected network listeners opened by the GlassFish process (PoC GitHub, GitHub Advisory).

Atténuation et solutions de contournement

Upgrade to Eclipse GlassFish 8.0.2 or later, which patches the vulnerable org.glassfish.main.admingui:admingui component, and upgrade org.glassfish.jsftemplating:jsftemplating to version 4.2.0 or later (GitHub Advisory, GlassFish Release). As interim mitigations: restrict network access to the GlassFish admin console (port 4848) to trusted IP ranges only; implement WAF rules to block EL injection patterns (e.g., #{, ${) in HTTP request parameters; disable EL evaluation in template contexts where user input is present if not required for functionality; and apply strict input validation and output encoding for all user-supplied values processed by the template rendering engine.

Réactions de la communauté

The vulnerability was noted in the OmniFish blog covering GlassFish 8.0.2's security fixes shortly after disclosure (OmniFish Blog). CISA included it in their weekly vulnerability bulletin (SB26-145), indicating recognition by the U.S. cybersecurity authority (CISA Bulletin). Community discussion was observed on Bluesky and security aggregator sites, and the vulnerability was featured in a PoC-of-the-week roundup in early June 2026 (PoC Week). Overall community sentiment reflects concern given the critical CVSS score and public PoC availability, though no widespread exploitation has been confirmed.

Ressources additionnelles


SourceCe rapport a été généré à l’aide de l’IA

Apparenté Java Vulnérabilités:

Identifiant CVE

Sévérité

Score

Technologies

Nom du composant

Exploit CISA KEV

A corrigé

Date de publication

CVE-2026-50270HIGH7.5
  • Java logoJava
  • com.datadoghq:dd-java-agent
NonOuiJul 15, 2026
CVE-2026-59955HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026
CVE-2026-59954HIGH7.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonNonJul 15, 2026
CVE-2026-44891HIGH7.5
  • Java logoJava
  • pinot
NonOuiJul 14, 2026
CVE-2025-32781MEDIUM6.5
  • Java logoJava
  • com.ctrip.framework.apollo:apollo
NonOuiJul 15, 2026

Évaluation gratuite des vulnérabilités

Évaluez votre posture de sécurité dans le cloud

Évaluez vos pratiques de sécurité cloud dans 9 domaines de sécurité pour évaluer votre niveau de risque et identifier les failles dans vos défenses.

Demander une évaluation

Obtenez une démo personnalisée

Prêt(e) à voir Wiz en action ?

"La meilleure expérience utilisateur que j’ai jamais vue, offre une visibilité totale sur les workloads cloud."
David EstlickRSSI
"Wiz fournit une interface unique pour voir ce qui se passe dans nos environnements cloud."
Adam FletcherChef du service de sécurité
"Nous savons que si Wiz identifie quelque chose comme critique, c’est qu’il l’est réellement."
Greg PoniatowskiResponsable de la gestion des menaces et des vulnérabilités