CVE-2026-12986
Received Received - Intake
Admin GUI Token Leak in Payara Server

Publication date: 2026-06-24

Last updated on: 2026-06-24

Assigner: Payara

Description
A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain. A Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator's REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the DownloadServlet and associated ContentSource implementations (LogViewerContentSource, LogFilesContentSource, LBConfigContentSource, ClientStubsContentSource) within the admingui:console-common module.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-24
Last Modified
2026-06-24
Generated
2026-06-24
AI Q&A
2026-06-24
EPSS Evaluated
N/A
NVD
CVE-2026-12986
EUVD
EUVD-2026-38793
Affected Vendors & Products
Showing 8 associated CPEs
Vendor Product Version / Range
payara platform 7.2026.6
payara server 4.x
payara server 5.x
payara server 6.x
payara server 7.x
payara server 7.2026.x
payara server 6.2025.x
payara server 6.2024.x
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-352 The web application does not, or cannot, sufficiently verify whether a request was intentionally provided by the user who sent the request, which could have originated from an unauthorized actor.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Compliance Impact

The vulnerability allows an attacker to exfiltrate the administrator's REST session token and gain full administrative access to the Payara domain, potentially leading to arbitrary code execution. Such unauthorized access and data leakage could compromise the confidentiality and integrity of sensitive data managed by the system.

This type of security breach can impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of sensitive data and secure administrative controls to prevent unauthorized access.

Therefore, organizations using affected Payara Server versions may face increased risk of non-compliance due to potential data breaches and insufficient access controls stemming from this vulnerability.

Executive Summary

CVE-2026-12986 is a critical vulnerability in the Admin GUI of Payara Server versions 4.x through 7.2026.x on all platforms. It involves a Server-Side Request Forgery (SSRF) flaw in the DownloadServlet component that allows a remote attacker to exfiltrate the administrator's REST session token (gfresttoken) to an attacker-controlled host.

Because the DownloadServlet lacks Cross-Site Request Forgery (CSRF) protection, an unauthenticated attacker can trick a logged-in administrator into triggering this token leak. The attacker can then replay the stolen token to gain full administrative access to the Payara domain.

This full administrative access can lead to arbitrary code execution, for example, by deploying malicious WAR files. The vulnerability affects the DownloadServlet and related ContentSource implementations within the admingui:console-common module.

Impact Analysis

This vulnerability can have severe impacts including a full unauthenticated takeover of the Payara admin domain.

An attacker can exfiltrate the administrator's REST session token and use it to gain full administrative privileges without authentication.

With full admin access, the attacker can execute arbitrary code, such as deploying malicious applications, potentially compromising the entire server and any applications running on it.

Mitigation Strategies

To mitigate the vulnerability CVE-2026-12986 in Payara Server, it is important to update to the latest version of the Payara Platform Community, specifically version 7.2026.6 or later, which addresses the CSRF and SSRF vulnerabilities in the Admin Console and REST Management Interface.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-12986. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart