CVE-2026-6125
Remote Code Injection in Dromara Warm-Flow Workflow Handler
Publication date: 2026-04-12
Last updated on: 2026-04-29
Assigner: VulDB
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| dromara | warm-flow | to 1.8.4 (inc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-94 | The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment. |
| CWE-74 | The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
CVE-2026-6125 is a critical Remote Code Execution (RCE) vulnerability in the warm-flow workflow engine (versions up to 1.8.4). It arises from unsafe handling of Spring Expression Language (SpEL) expressions in the SpelHelper.parseExpression method. This method uses an unsandboxed StandardEvaluationContext that allows unrestricted access to Java runtime classes and methods.
Attackers with workflow design privileges can inject malicious SpEL expressions into specific workflow definition fields (listenerPath, skipCondition, permissionFlag) via the /warm-flow/save-json HTTP endpoint. When the workflow instance is published and started, these expressions are evaluated, enabling arbitrary OS command execution on the server.
This vulnerability allows attackers to execute system commands remotely, potentially leading to full server compromise.
How can this vulnerability impact me? :
This vulnerability can have severe impacts including remote code execution on the affected server. Attackers can execute arbitrary system commands with the privileges of the application runtime user.
Consequences include complete server compromise, such as reading and writing files, modifying databases, establishing reverse shells, and taking full control over the server.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
Detection of CVE-2026-6125 involves monitoring for suspicious activity related to the injection and execution of malicious Spring Expression Language (SpEL) payloads in the warm-flow workflow engine.
Specifically, you can look for unusual POST requests to the `/warm-flow/save-json` endpoint containing SpEL expressions in fields such as `listenerPath`, `skipCondition`, or `permissionFlag`.
Additionally, after workflow publishing and starting, check for unexpected command execution on the server, such as creation of files like `/tmp/pwned.txt` or other indicators of compromise.
- Use network monitoring tools or web application firewalls (WAF) to detect POST requests with payloads containing patterns like `#{T(java.lang.Runtime).getRuntime().exec(...)}`.
- On the server, use commands to detect suspicious files or processes, for example:
- Check for files created by injected commands: `cat /tmp/pwned.txt`
- Monitor running processes for unexpected commands: `ps aux | grep java` or `ps aux | grep sh`
- Review application logs for POST requests to `/warm-flow/save-json` containing SpEL expressions.
What immediate steps should I take to mitigate this vulnerability?
Immediate mitigation steps for CVE-2026-6125 include restricting access and preventing exploitation of the vulnerable SpEL injection points in warm-flow workflow engine.
- Restrict access to the `/warm-flow/save-json` endpoint to trusted users only, especially limiting workflow design privileges.
- Implement strong authentication and authorization controls in the integrating business system to prevent unauthorized workflow design changes.
- Monitor and block suspicious SpEL expressions in workflow definitions, particularly those containing `T(java.lang.Runtime).getRuntime().exec` or similar command execution patterns.
- If possible, upgrade warm-flow to a version later than 1.8.4 where this vulnerability is fixed or apply patches provided by the vendor or community.
- As a temporary measure, disable or restrict the use of SpEL expressions in workflow definitions until a secure fix is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-6125 vulnerability allows remote code execution and complete server compromise by authenticated users with workflow design privileges. This can lead to unauthorized access, modification, or exfiltration of sensitive data stored or processed by the affected system.
Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and ensure data integrity and confidentiality.
Therefore, exploitation of this vulnerability could result in violations of these regulations due to compromised data security controls.