Executive Summary

CVE-2026-35583 is a path traversal vulnerability in the configuration API endpoint (/api/configuration/{name}) of the Emissary workflow engine versions prior to 8.39.0.

The vulnerability exists because the API validated configuration names using a blacklist approach that rejected certain characters like backslashes (\), forward slashes (/), double dots (..), and trailing dots (.), but this validation did not account for URL-encoded variants, double-encoded sequences, or Unicode normalization.

Attackers could bypass the blacklist by encoding these characters in ways that the validation missed, allowing them to perform path traversal attacks and read configuration files outside the intended directory.

This issue was fixed in version 8.39.0 by replacing the blacklist with an allowlist regex pattern that only permits alphanumeric characters, dots, underscores, and hyphens, effectively blocking traversal attempts.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability allows an attacker to read configuration files outside the intended directory by exploiting path traversal through the configuration API.

The impact includes unauthorized disclosure of potentially sensitive configuration data.

The CVSS score of 5.3 indicates a moderate severity with low confidentiality impact, no integrity or availability impact, and no privileges or user interaction required.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by monitoring requests to the configuration API endpoint `/api/configuration/{name}` for attempts to use path traversal payloads. Specifically, look for URL-encoded variants (e.g., `%2e%2e%2f`), double-encoded sequences (e.g., `%252e%252e%252f`), or Unicode normalization attempts in the configuration name parameter.

You can use network monitoring or web server logs to identify suspicious requests containing these encoded sequences targeting `/api/configuration/`.

Example commands to detect such attempts include:

• Using grep on web server logs to find encoded traversal attempts: `grep -E '%2e%2e%2f|%252e%252e%252f' access.log | grep '/api/configuration/'`
• Using tcpdump or tshark to capture HTTP traffic and filter for suspicious encoded sequences:
• `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep -E '%2e%2e%2f|%252e%252e%252f'`
• Using curl or similar tools to test the endpoint with encoded payloads to verify if the system is vulnerable.

Useful 0 Not Useful 0

Compliance Impact

This vulnerability allows unauthorized read access to configuration files outside the intended directory, potentially disclosing sensitive configuration data.

Such unauthorized disclosure of sensitive information could impact compliance with data protection standards and regulations like GDPR and HIPAA, which require safeguarding sensitive data against unauthorized access.

However, the provided information does not explicitly discuss compliance implications or specific regulatory impacts.

Useful 0 Not Useful 0

Mitigation Strategies

The vulnerability is fixed in Emissary version 8.39.0 by replacing the insecure blacklist validation with a strict allowlist regex that only permits alphanumeric characters, dots, underscores, and hyphens.

Immediate mitigation steps before upgrading include deploying a reverse proxy or Web Application Firewall (WAF) rule to block requests containing encoded path traversal sequences targeting the `/api/configuration/` endpoint.

• Upgrade Emissary to version 8.39.0 or later where the vulnerability is fixed.
• Implement WAF or reverse proxy rules to detect and block requests with URL-encoded, double-encoded, or Unicode normalized path traversal payloads.
• Monitor logs for suspicious requests and block offending IP addresses if necessary.

Useful 0 Not Useful 0