Description
An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.
Published: 2026-05-19
Score: 9.1 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

This authenticated remote code execution vulnerability occurs in the GlassFish Administration Console. An attacker with console access can send specially crafted requests that trigger the execution of arbitrary operating system commands with the privileges of the application service user. The flaw is a classic OS command injection (CWE-917), allowing arbitrary code execution on the host machine.

Affected Systems

The vulnerability affects Eclipse GlassFish products. Versions 8.0.0 through 8.0.1, 7.1.0, and 7.0.0 through 7.0.25 are affected; these are fixed in 8.0.2, 7.1.1, and 7.0.26 respectively. Versions 5.1.0 to 6.2.5 have an unknown impact.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical level of severity. The EPSS score of 0.00819 indicates a very low probability of exploitation, and the vulnerability is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation yet. The likely attack vector requires an attacker to first authenticate to the Administration Console; once authenticated, the attacker can deliver malicious requests that trigger the command execution flaw.

Generated by OpenCVE AI on June 29, 2026 at 09:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Eclipse GlassFish security patch that resolves the command injection in the Administration Console.
  • Restrict network access to the Administration Console and enforce strong authentication and role-based access control to limit exposure to trusted users only.
  • Consider disabling or segregating the Administration Console in environments where it is not required, and monitor for anomalous requests targeting console endpoints.

Generated by OpenCVE AI on June 29, 2026 at 09:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-96v6-hq43-x9h4 GlassFish's Administration Console is Vulnerable to RCE
History

Mon, 29 Jun 2026 10:15:00 +0000

Type Values Removed Values Added
Title Arbitrary OS Command Execution via GlassFish Administration Console

Mon, 29 Jun 2026 08:45:00 +0000

Type Values Removed Values Added
Description An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user. This issue affects Eclipse GlassFish: from 8.0.0 to 8.0.1, fixed in 8.0.2; 7.1.0, fixed in 7.1.1; from 7.0.0 to 7.0.25, fixed in 7.0.26. Impact on versions from 5.1.0 to 6.2.5 is unknown.

Thu, 21 May 2026 13:30:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:eclipse:glassfish:*:*:*:*:*:*:*:*

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Arbitrary OS Command Execution via GlassFish Administration Console
First Time appeared Eclipse
Eclipse glassfish
Vendors & Products Eclipse
Eclipse glassfish

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}


Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.
Weaknesses CWE-917
CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}


Subscriptions

Eclipse Glassfish
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-06-29T08:34:31.867Z

Reserved: 2026-02-16T14:10:57.801Z

Link: CVE-2026-2586

cve-icon Vulnrichment

Updated: 2026-05-19T14:40:53.226Z

cve-icon NVD

Status : Analyzed

Published: 2026-05-19T15:16:28.413

Modified: 2026-06-17T10:31:21.593

Link: CVE-2026-2586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-29T10:00:11Z

Weaknesses
  • CWE-917

    Improper Neutralization of Special Elements used in an Expression Language Statement ('Expression Language Injection')

  • CWE-94

    Improper Control of Generation of Code ('Code Injection')