Description
alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrator to execute arbitrary operating system commands on the server. The extension system is intended to execute restricted JavaScript in a sandboxed Rhino environment; however, a combination of an unguarded injected Java object (`returnClass`) and an incomplete AST blocklist allows the sandbox to be fully escaped using Java reflection without triggering any validation errors. Version 2.0-M5-2606 patches the issue.
Published: 2026-06-02
Score: 8 High
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a sandbox escape in the extension script engine of alf.io, a CWE-863 flaw, allowing an authenticated administrator to execute arbitrary operating system commands on the host. By injecting an unguarded Java object and leveraging Java reflection, the Rhino sandbox can be bypassed, enabling full control over the server. This flaw provides an attacker—who already has administrator credentials—to compromise confidentiality, integrity, and availability of the system.

Affected Systems

All installations of alf.io running any version older than 2.0‑M5‑2606 are affected. The application is distributed by the vendor alfio‑event as the product alf.io, used as an open‑source ticket reservation platform for conferences and related events.

Risk and Exploitability

The CVSS score of 8 signals a high‑severity vulnerability; while EPSS data is not available, the lack of being listed in CISA's KEV catalog does not mean it is unlikely to be exploited. The flaw requires authenticated access at the administrator level, so the attack vector is internal privileged use, but once the administrator credential is compromised, an attacker can exceed the intended sandbox boundaries. Due to the potential for arbitrary command execution, the risk to the affected environment is high, and mitigation should be prioritized.

Generated by OpenCVE AI on June 3, 2026 at 04:11 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Update the alf.io installation to version 2.0‑M5‑2606 or newer, which contains the sandbox fix.
  • If an update cannot be applied immediately, restrict the extension script engine to trusted administrators only or disable it entirely for all users, and review any custom scripts that have already been deployed.
  • Employ least‑privilege practices: ensure that only essential personnel have administrative rights, audit permissions regularly, and monitor execution logs for suspicious command activity.

Generated by OpenCVE AI on June 3, 2026 at 04:11 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Wed, 03 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'poc', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Wed, 03 Jun 2026 12:45:00 +0000

Type Values Removed Values Added
First Time appeared Alfio-event
Alfio-event alf.io
Vendors & Products Alfio-event
Alfio-event alf.io

Wed, 03 Jun 2026 02:30:00 +0000

Type Values Removed Values Added
Description alf.io is an open source ticket reservation system for conferences, trade shows, workshops, and meetups. Prior to version 2.0-M5-2606, a sandbox escape vulnerability in the alf.io extension script engine allows an authenticated administrator to execute arbitrary operating system commands on the server. The extension system is intended to execute restricted JavaScript in a sandboxed Rhino environment; however, a combination of an unguarded injected Java object (`returnClass`) and an incomplete AST blocklist allows the sandbox to be fully escaped using Java reflection without triggering any validation errors. Version 2.0-M5-2606 patches the issue.
Title alf.io has an Authenticated RCE via Extension Script Sandbox Escape
Weaknesses CWE-863
References
Metrics cvssV3_1

{'score': 8, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:H/UI:N/S:C/C:H/I:H/A:H'}

Subscriptions

Alfio-event Alf.io
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-06-03T14:08:53.231Z

Reserved: 2026-04-02T20:49:44.454Z

Link: CVE-2026-35482

cve-icon Vulnrichment

Updated: 2026-06-03T14:08:42.265Z

cve-icon NVD

Status : Received

Published: 2026-06-02T23:16:37.473

Modified: 2026-06-03T16:16:28.630

Link: CVE-2026-35482

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-03T10:54:23Z

Weaknesses