CVE-2026-35581 - Vulnerability Details

- Emissary has a Command Injection via PLACE_NAME Configuration in Executrix

Description

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0.

Published: 2026-04-07

Score: 7.2 High

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability arises when the Emissary Executrix utility concatenates configuration values, such as PLACE_NAME, directly into shell commands with only whitespace replaced by underscores. This allows shell metacharacters (for example ; | $ ` ( )) to reach /bin/sh -c, giving an attacker the ability to run arbitrary commands. The weakness is a classic command injection flaw under CWE-78. Such exploitation could compromise confidentiality, integrity, and availability of the host system by ensuring that arbitrary code runs with the permissions of the Emissary process.

Affected Systems

The affected product is the Emissary workflow engine supplied by the National Security Agency. Versions of Emissary older than 8.39.0 are vulnerable. No other vendors or product lines are listed.

Risk and Exploitability

The CVSS score of 7.2 indicates a high severity level. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a maliciously crafted PLACE_NAME configuration entry, which an attacker can supply if they have the ability to modify configuration files or the management interface. This requires the attacker to have write access to Emissary configuration, after which arbitrary shell commands can be executed on the host.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NationalSecurityAgency

emissary

affected

Version	Status	Constraints
`< 8.39.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:nsa:emissary:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Nationalsecurityagency

Emissary

100%

Version	Status	Scheme	Platform
`[0,8.39.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Apply the official patch by upgrading Emissary to version 8.39.0 or later.
If immediate upgrade is not feasible, carefully sanitise or remove any shell metacharacters from all PLACE_NAME configuration entries before restarting the service.
Monitor configuration files and application logs for unauthorized changes or unexpected shell command execution.

Generated by OpenCVE AI on April 7, 2026 at 22:45 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-6c37-7w4p-jg9v	Emissary has a Command Injection via PLACE_NAME Configuration in Executrix

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.00087.

Exploitation none

Automatable no

Technical Impact total

References

Link	Providers
https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v

History

Thu, 16 Apr 2026 18:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nsa Nsa emissary
CPEs		cpe:2.3:a:nsa:emissary::::::::
Vendors & Products		Nsa Nsa emissary

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nationalsecurityagency Nationalsecurityagency emissary
Vendors & Products		Nationalsecurityagency Nationalsecurityagency emissary

Wed, 08 Apr 2026 15:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}`

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, \|, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0.
Title		Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Weaknesses		CWE-78
References		https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v
Metrics		cvssV3_1 `{'score': 7.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

Nationalsecurityagency Emissary

Nsa Emissary

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T15:56:55.838Z

Updated: 2026-04-08T14:57:47.316Z

Reserved: 2026-04-03T20:09:02.827Z

Link: CVE-2026-35581

Vulnrichment

Updated: 2026-04-08T14:57:43.213Z

NVD

Status : Analyzed

Published: 2026-04-07T17:16:33.493

Modified: 2026-04-16T18:00:24.503

Link: CVE-2026-35581

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:48:08Z

Weaknesses

CWE-78

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required High

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Exploitation none

Automatable no

Technical Impact total

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object