CVE-2026-35583 - Vulnerability Details

- Emissary has a Path Traversal via Blacklist Bypass in Configuration API

Description

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. This vulnerability is fixed in 8.39.0.

Published: 2026-04-07

Score: 5.3 Medium

EPSS: < 1% Very Low

KEV: No

Impact:

Action:

Analysis

Impact

An endpoint in Emissary’s configuration API (/api/configuration/{name}) validated the configuration name using a blacklist that blocked characters such as backslashes, forward slashes, and double periods. Because the blacklist could be bypassed by using URL‑encoded, double‑encoded, or Unicode‑normalized strings, an attacker could supply a crafted name that resolves to a file outside the intended configuration directory, allowing them to read arbitrary configuration files and thereby compromising confidentiality.

Affected Systems

The vulnerability affects National Security Agency Emissary versions earlier than 8.39.0. Any installation that has not been updated to 8.39.0 or later exposes the /api/configuration/{name} endpoint to this risk.

Risk and Exploitability

The CVSS score of 5.3 indicates a moderate severity level, and according to the data there is no EPSS score or KEV listing. Based on the description, it is inferred that the attack requires an attacker to send an HTTP request to the vulnerable endpoint. If the endpoint is reachable by untrusted users or publicly exposed, the attacker could then execute a path traversal and read configuration files, resulting in moderate risk due to potential confidentiality damage.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

NationalSecurityAgency

emissary

affected

Version	Status	Constraints
`< 8.39.0`	affected	—

Configuration 1 [-]

cpe:2.3:a:nsa:emissary:*:*:*:*:*:*:*:*

No data.

Vendor Product Confidence Versions

Nationalsecurityagency

Emissary

100%

Version	Status	Scheme	Platform
`[0,8.39.0)`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Emissary to version 8.39.0 or later
Restrict access to the configuration API so that only trusted administrators or internal services can reach it, enforcing authentication and network segmentation
Check for vendor updates and apply them promptly

Generated by OpenCVE AI on April 8, 2026 at 00:22 UTC.

Tracking

Sign in to view the affected projects.

Advisories

Source	ID	Title
Github GHSA	GHSA-hxf2-gm22-7vcm	Emissary has a Path Traversal via Blacklist Bypass in Configuration API

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

The EPSS score is 0.0005.

Exploitation none

Automatable yes

Technical Impact partial

References

Link	Providers
https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm

History

Thu, 16 Apr 2026 19:00:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nsa Nsa emissary
CPEs		cpe:2.3:a:nsa:emissary::::::::
Vendors & Products		Nsa Nsa emissary

Thu, 09 Apr 2026 17:15:00 +0000

Type	Values Removed	Values Added
Metrics		ssvc `{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Wed, 08 Apr 2026 20:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Nationalsecurityagency Nationalsecurityagency emissary
Vendors & Products		Nationalsecurityagency Nationalsecurityagency emissary

Tue, 07 Apr 2026 18:00:00 +0000

Type	Values Removed	Values Added
Description		Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. This vulnerability is fixed in 8.39.0.
Title		Emissary has a Path Traversal via Blacklist Bypass in Configuration API
Weaknesses		CWE-22
References		https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm
Metrics		cvssV3_1 `{'score': 5.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N'}`

Subscriptions

Nationalsecurityagency Emissary

Nsa Emissary

MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published: 2026-04-07T15:57:41.496Z

Updated: 2026-04-09T16:18:56.328Z

Reserved: 2026-04-03T20:09:02.827Z

Link: CVE-2026-35583

Vulnrichment

Updated: 2026-04-09T16:12:30.294Z

NVD

Status : Analyzed

Published: 2026-04-07T17:16:33.663

Modified: 2026-04-16T18:57:47.437

Link: CVE-2026-35583

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-04-08T19:48:06Z

Weaknesses

CWE-22

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required None

Scope Unchanged

Confidentiality Impact Low

Integrity Impact None

Availability Impact None

User Interaction None

Exploitation none

Automatable yes

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object