Description
An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.
Published: 2026-05-19
Score: 9.1 Critical
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

An authenticated user who can access the GlassFish Administration Console can send specially crafted requests that cause the server to execute arbitrary operating system commands with the privileges of the application service user. The flaw is a classic OS command injection (CWE-917), which allows an attacker to run arbitrary code on the host system.

Affected Systems

The vulnerability affects Eclipse Glassfish products. No specific version information is listed in the CNA data, so all releases that include the vulnerable Administration Console implementation may be impacted.

Risk and Exploitability

The CVSS score of 9.1 indicates a critical level of severity. The EPSS score is not available, but the vulnerability is not listed in the CISA KEV catalog, implying no confirmed widespread exploitation yet. The likely attack vector requires an attacker to first authenticate to the Administration Console; once authenticated, the attacker can deliver malicious requests that trigger the command execution flaw.

Generated by OpenCVE AI on May 19, 2026 at 15:20 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest Eclipse GlassFish security patch that resolves the command injection in the Administration Console.
  • Restrict network access to the Administration Console and enforce strong authentication and role-based access control to limit exposure to trusted users only.
  • Consider disabling or segregating the Administration Console in environments where it is not required, and monitor for anomalous requests targeting console endpoints.

Generated by OpenCVE AI on May 19, 2026 at 15:20 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 19 May 2026 15:45:00 +0000

Type Values Removed Values Added
Title Arbitrary OS Command Execution via GlassFish Administration Console
First Time appeared Eclipse
Eclipse glassfish
Vendors & Products Eclipse
Eclipse glassfish

Tue, 19 May 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Tue, 19 May 2026 14:30:00 +0000

Type Values Removed Values Added
Description An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.
Weaknesses CWE-917
CWE-94
References
Metrics cvssV3_1

{'score': 9.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Eclipse Glassfish
cve-icon MITRE

Status: PUBLISHED

Assigner: eclipse

Published:

Updated: 2026-05-19T14:40:56.504Z

Reserved: 2026-02-16T14:10:57.801Z

Link: CVE-2026-2586

cve-icon Vulnrichment

Updated: 2026-05-19T14:40:53.226Z

cve-icon NVD

Status : Received

Published: 2026-05-19T15:16:28.413

Modified: 2026-05-19T15:16:28.413

Link: CVE-2026-2586

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-19T15:30:08Z

Weaknesses