CVE-2026-6125
Received Received - Intake
Remote Code Injection in Dromara Warm-Flow Workflow Handler

Publication date: 2026-04-12

Last updated on: 2026-04-29

Assigner: VulDB

Description
A security flaw has been discovered in Dromara warm-flow up to 1.8.4. Impacted is the function SpelHelper.parseExpression of the file /warm-flow/save-json of the component Workflow Definition Handler. The manipulation of the argument listenerPath/skipCondition/permissionFlag results in code injection. The attack may be performed from remote. The exploit has been released to the public and may be used for attacks.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-12
Last Modified
2026-04-29
Generated
2026-06-19
AI Q&A
2026-04-12
EPSS Evaluated
2026-06-18
NVD
CVE-2026-6125
EUVD
EUVD-2026-21729
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
dromara warm-flow to 1.8.4 (inc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-94 The product constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CWE-74 The product constructs all or part of a command, data structure, or record using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify how it is parsed or interpreted when it is sent to a downstream component.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-6125 is a critical Remote Code Execution (RCE) vulnerability in the warm-flow workflow engine (versions up to 1.8.4). It arises from unsafe handling of Spring Expression Language (SpEL) expressions in the SpelHelper.parseExpression method. This method uses an unsandboxed StandardEvaluationContext that allows unrestricted access to Java runtime classes and methods.

Attackers with workflow design privileges can inject malicious SpEL expressions into specific workflow definition fields (listenerPath, skipCondition, permissionFlag) via the /warm-flow/save-json HTTP endpoint. When the workflow instance is published and started, these expressions are evaluated, enabling arbitrary OS command execution on the server.

This vulnerability allows attackers to execute system commands remotely, potentially leading to full server compromise.

Impact Analysis

This vulnerability can have severe impacts including remote code execution on the affected server. Attackers can execute arbitrary system commands with the privileges of the application runtime user.

Consequences include complete server compromise, such as reading and writing files, modifying databases, establishing reverse shells, and taking full control over the server.

Detection Guidance

Detection of CVE-2026-6125 involves monitoring for suspicious activity related to the injection and execution of malicious Spring Expression Language (SpEL) payloads in the warm-flow workflow engine.

Specifically, you can look for unusual POST requests to the `/warm-flow/save-json` endpoint containing SpEL expressions in fields such as `listenerPath`, `skipCondition`, or `permissionFlag`.

Additionally, after workflow publishing and starting, check for unexpected command execution on the server, such as creation of files like `/tmp/pwned.txt` or other indicators of compromise.

  • Use network monitoring tools or web application firewalls (WAF) to detect POST requests with payloads containing patterns like `#{T(java.lang.Runtime).getRuntime().exec(...)}`.
  • On the server, use commands to detect suspicious files or processes, for example:
  • Check for files created by injected commands: `cat /tmp/pwned.txt`
  • Monitor running processes for unexpected commands: `ps aux | grep java` or `ps aux | grep sh`
  • Review application logs for POST requests to `/warm-flow/save-json` containing SpEL expressions.
Mitigation Strategies

Immediate mitigation steps for CVE-2026-6125 include restricting access and preventing exploitation of the vulnerable SpEL injection points in warm-flow workflow engine.

  • Restrict access to the `/warm-flow/save-json` endpoint to trusted users only, especially limiting workflow design privileges.
  • Implement strong authentication and authorization controls in the integrating business system to prevent unauthorized workflow design changes.
  • Monitor and block suspicious SpEL expressions in workflow definitions, particularly those containing `T(java.lang.Runtime).getRuntime().exec` or similar command execution patterns.
  • If possible, upgrade warm-flow to a version later than 1.8.4 where this vulnerability is fixed or apply patches provided by the vendor or community.
  • As a temporary measure, disable or restrict the use of SpEL expressions in workflow definitions until a secure fix is applied.
Compliance Impact

The CVE-2026-6125 vulnerability allows remote code execution and complete server compromise by authenticated users with workflow design privileges. This can lead to unauthorized access, modification, or exfiltration of sensitive data stored or processed by the affected system.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information against unauthorized access and ensure data integrity and confidentiality.

Therefore, exploitation of this vulnerability could result in violations of these regulations due to compromised data security controls.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-6125. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart