CVE-2026-35582
OS Command Injection in Emissary Executrix.getCommand
Publication date: 2026-04-18
Last updated on: 2026-04-24
Assigner: GitHub, Inc.
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| nsa | emissary | to 8.43.0 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-116 | The product prepares a structured message for communication with another component, but encoding or escaping of the data is either missing or done incorrectly. As a result, the intended structure of the message is not preserved. |
| CWE-78 | The product constructs all or part of an OS command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended OS command when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability exists in Emissary, a P2P based data-driven workflow engine, specifically in versions 8.42.0 and below. The method Executrix.getCommand() is vulnerable to OS command injection because it inserts temporary file paths into a shell command string (/bin/sh -c) without escaping or validating the input. Configuration keys IN_FILE_ENDING and OUT_FILE_ENDING are directly used in these paths, allowing an attacker who can write or modify a .cfg file to inject arbitrary shell metacharacters. This leads to execution of OS commands within the JVM process's security context. While the framework sanitizes placeName inputs, it does not sanitize file ending values, making this a framework-level defect with no safe mitigation for downstream users. The issue was fixed in version 8.43.0.
How can this vulnerability impact me? :
This vulnerability can have severe impacts as it allows an attacker with minimal privileges (only the ability to modify place configuration files) to execute arbitrary OS commands on the system running the JVM process. This can lead to full compromise of confidentiality, integrity, and availability of the affected system, including unauthorized data access, modification, or destruction, and potential disruption of services.
What immediate steps should I take to mitigate this vulnerability?
The vulnerability exists in Emissary versions 8.42.0 and below due to unsafe interpolation of file path configurations into shell commands without escaping or validation.
Immediate mitigation involves upgrading Emissary to version 8.43.0 or later, where this issue has been fixed.
Since no safe mitigation is available for downstream implementors and the vulnerability requires only place configuration authorship, restricting access to .cfg file modifications and limiting privileges of place authors can help reduce risk until the upgrade is applied.