CVE-2026-5739
Remote Code Injection via GroovyEvaluator in PowerJob OpenAPI
Publication date: 2026-04-07
Last updated on: 2026-04-07
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| powerjob | powerjob | 5.1.0 |
| powerjob | powerjob | 5.1.1 |
| powerjob | powerjob | 5.1.2 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
This vulnerability allows unauthenticated remote code execution on the server running PowerJob, granting attackers full control over the server JVM environment and the ability to execute arbitrary commands.
Such unauthorized access and control can lead to data breaches, unauthorized data manipulation, and potential exposure of sensitive information, which may violate compliance requirements under standards like GDPR and HIPAA.
Specifically, the lack of authentication on OpenAPI endpoints and the ability to execute arbitrary code could compromise the confidentiality, integrity, and availability of data, all of which are critical aspects of these regulations.
Therefore, this vulnerability poses a significant risk to compliance with common security and privacy standards by enabling attackers to bypass security controls and potentially access or alter protected data.
Can you explain this vulnerability to me?
CVE-2026-5739 is a critical remote code execution vulnerability in PowerJob versions 5.1.0 through 5.1.2. It arises because the OpenAPI endpoints, including /openApi/addWorkflowNode, are exposed without authentication by default, allowing anyone to access them.
The vulnerability specifically involves the GroovyEvaluator.evaluate function, which executes user-supplied Groovy scripts without any sandboxing or security restrictions. An attacker can submit malicious Groovy code via the nodeParams parameter to the /openApi/addWorkflowNode endpoint.
This malicious script is stored and later executed on the server JVM when the workflow is run, enabling the attacker to execute arbitrary commands on the server with the privileges of the server process.
How can this vulnerability impact me? :
This vulnerability allows unauthenticated attackers to remotely execute arbitrary code on the server running PowerJob. This means an attacker can gain full control over the server JVM environment.
- Execute arbitrary system commands with server privileges, potentially leading to full system compromise.
- Bypass any authentication or access controls since the OpenAPI endpoints are exposed without authentication by default.
- Manipulate workflows and jobs to execute malicious payloads, causing disruption or data breaches.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking for unauthorized or suspicious POST requests to the OpenAPI endpoints exposed by PowerJob, especially the /openApi/addWorkflowNode endpoint where malicious Groovy scripts can be injected.
Network detection can involve monitoring HTTP POST requests to the following endpoints: /openApi/fetchAllJob, /openApi/saveJob, /openApi/addWorkflowNode, /openApi/saveWorkflow, and /openApi/runWorkflow.
You can use commands like the following to detect suspicious activity in logs or live traffic:
- Use grep or similar tools to search server logs for POST requests to /openApi/addWorkflowNode containing suspicious Groovy script keywords such as 'Runtime', 'exec', or 'ProcessBuilder'. Example: `grep -i 'POST /openApi/addWorkflowNode' /var/log/nginx/access.log | grep -E 'Runtime|exec|ProcessBuilder'`
- Use network monitoring tools like tcpdump or Wireshark to capture HTTP traffic and filter for POST requests to the vulnerable endpoints. Example: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/openApi/addWorkflowNode'`
Additionally, checking the configuration file application.properties for the setting `oms.auth.openapi.enable` can help identify if authentication is enabled on the OpenAPI endpoints.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps include:
- Enable authentication on the OpenAPI endpoints by changing the configuration property `oms.auth.openapi.enable` from `false` to `true` in the application.properties file and updating the `@Value` annotation in OpenApiInterceptor.java accordingly.
- Implement sandboxing in the GroovyEvaluator component to restrict execution of dangerous classes and methods. This can be done using Groovy's SecureASTCustomizer or similar mechanisms to block usage of Runtime, ProcessBuilder, System, and other risky APIs.
- Add input validation on the `nodeParams` parameter to reject any scripts containing dangerous keywords such as `Runtime`, `exec`, `ProcessBuilder`, etc.
These steps will help prevent unauthorized remote code execution by restricting access and limiting the ability to execute arbitrary Groovy scripts.