Description
A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain.

A Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator's REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the DownloadServlet and associated ContentSource implementations (LogViewerContentSource, LogFilesContentSource, LBConfigContentSource, ClientStubsContentSource) within the admingui:console-common module.
Published: 2026-06-24
Score: 7.3 High
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

A Server‑Side Request Forgery flaw in the DownloadServlet of Payara Server’s Admin GUI can cause the system to send a victim’s administrator session token (gfresttoken) to an attacker‑controlled host. Because the servlet lacks CSRF protection, an attacker who tricks a logged‑in administrator into calling the URL can extract that token. The attacker can then replay the stolen token to the domain controller, gaining full administrative rights and the ability to deploy arbitrary WAR files for arbitrary code execution. This vulnerability is a classic Server‑Side Request Forgery (CWE‑918) combined with missing cross‑site request forgery safeguards (CWE‑352).

Affected Systems

The flaw is present in Payara Server Full editions 4.x, 5.x, 6.x, 7.x and the platform‑specific releases 7.2026.x, 6.2025.x, 6.2024.x on all supported operating systems. Any instance that exposes the Admin GUI is potentially vulnerable.

Risk and Exploitability

The CVSS score of 7.3 indicates a moderate to high severity. The EPSS score is not available, but the flaw can be exploited by any unauthenticated user given that they can influence a logged‑in administrator to hit the vulnerable endpoint, a low‑effort social‑engineering attack. Because the vulnerability is not in the CISA KEV catalog, there is no current evidence of widespread exploitation, yet the potential for full domain takeover warrants immediate attention. An attacker could use the stolen token to execute arbitrary Java class deployment, leading to remote code execution.

Generated by OpenCVE AI on June 24, 2026 at 15:23 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Deploy a Payara Server release that contains the SSRF and CSRF protection fix for the Admin GUI.
  • Restrict outbound connections from the Payara Server host or configure a proxy that blocks request URLs containing sensitive paths such as the administrator console, thereby mitigating SSRF.
  • Verify that the Admin GUI requires a CSRF token for state‑changing endpoints, or disable the DownloadServlet and related ContentSource classes if they are not required.
  • Audit the admin session handling to ensure that session tokens cannot be forwarded to external hosts; implement network segmentation to prevent token exfiltration.

Generated by OpenCVE AI on June 24, 2026 at 15:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 24 Jun 2026 15:45:00 +0000

Type Values Removed Values Added
Title Server‑Side Request Forgery in Payara Server Admin GUI Exposes REST Session Token, Enabling Unauthenticated Administrative Takeover

Wed, 24 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 24 Jun 2026 14:30:00 +0000

Type Values Removed Values Added
Description A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain. A Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator's REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the DownloadServlet and associated ContentSource implementations (LogViewerContentSource, LogFilesContentSource, LBConfigContentSource, ClientStubsContentSource) within the admingui:console-common module.
Weaknesses CWE-352
CWE-918
References
Metrics cvssV4_0

{'score': 7.3, 'vector': 'CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:P/AU:Y/R:U/V:C/RE:M/U:Amber'}

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: Payara

Published:

Updated: 2026-06-24T14:52:26.473Z

Reserved: 2026-06-23T11:45:33.366Z

Link: CVE-2026-12986

cve-icon Vulnrichment

Updated: 2026-06-24T14:52:22.331Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-24T15:30:17Z

Weaknesses
  • CWE-352

    Cross-Site Request Forgery (CSRF)

  • CWE-918

    Server-Side Request Forgery (SSRF)