Executive Summary

CVE-2026-42785 is a remote code execution vulnerability in OpenKM version 6.3.12 and earlier, including Professional Edition up to 7.1.47. It allows authenticated administrators to execute arbitrary Java or BeanShell code through the /admin/Scripting endpoint by submitting malicious script content with an action=Evaluate parameter.

This means that an attacker with administrator access can run operating system commands within the OpenKM application server context, potentially compromising the server.

The vulnerability is classified as CWE-94, which relates to improper control of code generation or code injection.

Useful 0 Not Useful 0

Impact Analysis

This vulnerability can have severe impacts because it allows an authenticated administrator to execute arbitrary code on the server hosting OpenKM.

• Attackers can run operating system commands, potentially leading to full system compromise.
• It can result in unauthorized access to sensitive data stored within the OpenKM system.
• The integrity and availability of the application and its data can be disrupted.
• It increases the risk of further attacks, such as lateral movement within the network or deployment of malware.

Useful 0 Not Useful 0

Compliance Impact

The vulnerability in OpenKM 6.3.12 allows authenticated administrators to execute arbitrary code on the server, potentially leading to unauthorized access, data manipulation, or data breaches.

Such unauthorized access and potential data compromise can negatively impact compliance with data protection regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and access.

Specifically, exploitation of this vulnerability could lead to exposure or alteration of sensitive personal or health information managed within OpenKM, thereby violating regulatory requirements for data security and privacy.

Organizations using affected versions of OpenKM should consider this vulnerability a significant risk to their compliance posture and take immediate steps to mitigate or remediate the issue.

Useful 0 Not Useful 0

Detection Guidance

This vulnerability can be detected by checking for attempts to access the /admin/Scripting endpoint with the action=Evaluate parameter, which is used to submit malicious script content for execution.

Detection templates and exploit code are available from security researchers, which can be used to identify attempts to exploit this vulnerability.

Network monitoring tools or web application firewalls can be configured to log or block requests containing the /admin/Scripting endpoint with suspicious parameters.

• Use tools like curl or wget to test the endpoint manually, for example: curl -u admin:password "http://<target>/admin/Scripting?action=Evaluate" -d "script=print('test')"
• Monitor web server logs for POST requests to /admin/Scripting with action=Evaluate.

Useful 0 Not Useful 0

Mitigation Strategies

Immediate mitigation steps include restricting access to the /admin/Scripting endpoint to only trusted administrators and limiting network exposure.

Ensure that only authenticated administrators have access to this endpoint and monitor for any suspicious activity.

Apply any available patches or updates from OpenKM that address this vulnerability.

Consider disabling or restricting the scripting functionality if it is not required.

Useful 0 Not Useful 0