Description
A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.
Published: 2026-04-07
Score: 6.9 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Remote Code Execution
Action: Patch ASAP
AI Analysis

Impact

The vulnerability resides in the GroovyEvaluator.evaluate function of the OpenAPI endpoint addWorkflowNode. By tampering with the nodeParams argument, an attacker can inject arbitrary Groovy scripts, leading to remote code execution on the PowerJob server and compromising confidentiality, integrity, and availability. This is a data injection flaw (CWE‑74) that allows runtime code injection (CWE‑94).

Affected Systems

The flaw impacts PowerJob versions 5.1.0, 5.1.1, and 5.1.2. Users of these releases must confirm whether their environment utilizes the vulnerable OpenAPI endpoint.

Risk and Exploitability

The CVSS score of 6.9 denotes medium severity, and the attack can be conducted remotely without authentication, raising the risk level. No EPSS data or KEV listing is available, so the exploitation likelihood remains uncertain, yet the openness of the endpoint and lack of protective controls suggest a significant threat. Administrators should treat the vulnerability as a potential remote code execution risk until a patch is applied.

Generated by OpenCVE AI on April 7, 2026 at 22:21 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the latest PowerJob release that contains the fix.
  • If a patch is not yet available, restrict network access to the OpenAPI endpoint and limit exposure to trusted users.
  • Implement input validation and monitoring to detect injected code execution attempts.

Generated by OpenCVE AI on April 7, 2026 at 22:21 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-wpwf-v25w-54g3 PowerJob's GroovyEvaluator.evaluate endpoint vulnerable to code injection
History

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
Description A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.
Title PowerJob OpenAPI Endpoint addWorkflowNode GroovyEvaluator.evaluate code injection
First Time appeared Powerjob
Powerjob powerjob
Weaknesses CWE-74
CWE-94
CPEs cpe:2.3:a:powerjob:powerjob:*:*:*:*:*:*:*:*
Vendors & Products Powerjob
Powerjob powerjob
References
Metrics cvssV2_0

{'score': 7.5, 'vector': 'AV:N/AC:L/Au:N/C:P/I:P/A:P/E:ND/RL:ND/RC:UR'}

cvssV3_0

{'score': 7.3, 'vector': 'CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV3_1

{'score': 7.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:L/A:L/E:X/RL:X/RC:R'}

cvssV4_0

{'score': 6.9, 'vector': 'CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:L/VI:L/VA:L/SC:N/SI:N/SA:N/E:X'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Subscriptions

Powerjob Powerjob
cve-icon MITRE

Status: PUBLISHED

Assigner: VulDB

Published:

Updated: 2026-04-07T20:03:03.560Z

Reserved: 2026-04-07T13:38:26.568Z

Link: CVE-2026-5739

cve-icon Vulnrichment

Updated: 2026-04-07T20:02:59.592Z

cve-icon NVD

Status : Deferred

Published: 2026-04-07T20:16:34.647

Modified: 2026-04-27T19:04:22.650

Link: CVE-2026-5739

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-04-08T19:46:23Z

Weaknesses