CVE-2026-5739
Received Received - Intake
Remote Code Injection via GroovyEvaluator in PowerJob OpenAPI

Publication date: 2026-04-07

Last updated on: 2026-04-07

Assigner: VulDB

Description
A security flaw has been discovered in PowerJob 5.1.0/5.1.1/5.1.2. The affected element is the function GroovyEvaluator.evaluate of the file /openApi/addWorkflowNode of the component OpenAPI Endpoint. The manipulation of the argument nodeParams results in code injection. The attack can be executed remotely. The project was informed of the problem early through an issue report but has not responded yet.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-07
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-5739
EUVD
EUVD-2026-19896
Affected Vendors & Products
Showing 3 associated CPEs
Vendor Product Version / Range
powerjob powerjob 5.1.0
powerjob powerjob 5.1.1
powerjob powerjob 5.1.2
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-5739 is a critical remote code execution vulnerability in PowerJob versions 5.1.0 through 5.1.2. It arises because the OpenAPI endpoints, including /openApi/addWorkflowNode, are exposed without authentication by default, allowing anyone to access them.

The vulnerability specifically involves the GroovyEvaluator.evaluate function, which executes user-supplied Groovy scripts without any sandboxing or security restrictions. An attacker can submit malicious Groovy code via the nodeParams parameter to the /openApi/addWorkflowNode endpoint.

This malicious script is stored and later executed on the server JVM when the workflow is run, enabling the attacker to execute arbitrary commands on the server with the privileges of the server process.

Impact Analysis

This vulnerability allows unauthenticated attackers to remotely execute arbitrary code on the server running PowerJob. This means an attacker can gain full control over the server JVM environment.

  • Execute arbitrary system commands with server privileges, potentially leading to full system compromise.
  • Bypass any authentication or access controls since the OpenAPI endpoints are exposed without authentication by default.
  • Manipulate workflows and jobs to execute malicious payloads, causing disruption or data breaches.
Detection Guidance

This vulnerability can be detected by checking for unauthorized or suspicious POST requests to the OpenAPI endpoints exposed by PowerJob, especially the /openApi/addWorkflowNode endpoint where malicious Groovy scripts can be injected.

Network detection can involve monitoring HTTP POST requests to the following endpoints: /openApi/fetchAllJob, /openApi/saveJob, /openApi/addWorkflowNode, /openApi/saveWorkflow, and /openApi/runWorkflow.

You can use commands like the following to detect suspicious activity in logs or live traffic:

  • Use grep or similar tools to search server logs for POST requests to /openApi/addWorkflowNode containing suspicious Groovy script keywords such as 'Runtime', 'exec', or 'ProcessBuilder'. Example: `grep -i 'POST /openApi/addWorkflowNode' /var/log/nginx/access.log | grep -E 'Runtime|exec|ProcessBuilder'`
  • Use network monitoring tools like tcpdump or Wireshark to capture HTTP traffic and filter for POST requests to the vulnerable endpoints. Example: `tcpdump -A -s 0 'tcp port 80 and (((ip[2:2] - ((ip[0]&0xf)<<2)) - ((tcp[12]&0xf0)>>2)) != 0)' | grep '/openApi/addWorkflowNode'`

Additionally, checking the configuration file application.properties for the setting `oms.auth.openapi.enable` can help identify if authentication is enabled on the OpenAPI endpoints.

Mitigation Strategies

Immediate mitigation steps include:

  • Enable authentication on the OpenAPI endpoints by changing the configuration property `oms.auth.openapi.enable` from `false` to `true` in the application.properties file and updating the `@Value` annotation in OpenApiInterceptor.java accordingly.
  • Implement sandboxing in the GroovyEvaluator component to restrict execution of dangerous classes and methods. This can be done using Groovy's SecureASTCustomizer or similar mechanisms to block usage of Runtime, ProcessBuilder, System, and other risky APIs.
  • Add input validation on the `nodeParams` parameter to reject any scripts containing dangerous keywords such as `Runtime`, `exec`, `ProcessBuilder`, etc.

These steps will help prevent unauthorized remote code execution by restricting access and limiting the ability to execute arbitrary Groovy scripts.

Compliance Impact

This vulnerability allows unauthenticated remote code execution on the server running PowerJob, granting attackers full control over the server JVM environment and the ability to execute arbitrary commands.

Such unauthorized access and control can lead to data breaches, unauthorized data manipulation, and potential exposure of sensitive information, which may violate compliance requirements under standards like GDPR and HIPAA.

Specifically, the lack of authentication on OpenAPI endpoints and the ability to execute arbitrary code could compromise the confidentiality, integrity, and availability of data, all of which are critical aspects of these regulations.

Therefore, this vulnerability poses a significant risk to compliance with common security and privacy standards by enabling attackers to bypass security controls and potentially access or alter protected data.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-5739. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart