ZeroPath at Black Hat USA 2026

Eclipse GlassFish CVE-2026-2586: Brief Summary of a Critical Expression Language Injection Leading to Remote Code Execution

A brief summary of CVE-2026-2586, a critical Expression Language injection vulnerability in the Eclipse GlassFish Administration Console that allows authenticated administrators to execute arbitrary OS commands via crafted requests.

CVE Analysis

6 min read

ZeroPath CVE Analysis
ZeroPath CVE Analysis

2026-05-19

Eclipse GlassFish CVE-2026-2586: Brief Summary of a Critical Expression Language Injection Leading to Remote Code Execution
Experimental AI-Generated Content

This CVE analysis is an experimental publication that is completely AI-generated. The content may contain errors or inaccuracies and is subject to change as more information becomes available. We are continuously refining our process.

If you have feedback, questions, or notice any errors, please reach out to us.

[email protected]

Introduction

An Expression Language injection flaw in the Eclipse GlassFish Administration Console allows an authenticated administrator to execute arbitrary operating system commands on the underlying host, earning a CVSS score of 9.1. With functional exploit tooling already developed by the reporting researchers and shared with the Eclipse Foundation, the window between disclosure and patch availability represents a meaningful risk for organizations running affected versions.

Eclipse GlassFish is an open source application server that fully implements the Jakarta EE platform, designed for high availability through clustering, scalability, and load balancing. Data indicates usage by over 1200 companies, making it a significant presence in the enterprise Java ecosystem. Its Administration Console serves as the primary web interface for managing server configurations, deployments, and resources.

Technical Information

Root Cause: Expression Language Injection

The vulnerability is rooted in improper neutralization of Expression Language (EL) statements within the GlassFish Administration Console. It is classified under both CWE-94 (Code Injection) and CWE-917 (Improper Neutralization of Special Elements used in an Expression Language Statement).

Security researchers Gabriel A. Hinostroza Ayala and Camilo Galdos identified that the alertSummary and alertDetail parameters across multiple administration console endpoints do not sanitize user input before it is processed by the EL engine. The primary confirmed vulnerable endpoint is:

/web/configuration/virtualServerEdit.jsf

Attack Flow

The exploitation path works as follows:

  1. An attacker authenticates to the GlassFish Administration Console with valid administrator credentials.
  2. The attacker navigates to (or directly sends a crafted request to) a vulnerable endpoint such as /web/configuration/virtualServerEdit.jsf.
  3. The attacker injects a malicious Expression Language payload into the alertSummary or alertDetail parameter.
  4. The server side EL engine evaluates the injected expression without proper sanitization.
  5. The payload invokes java.lang.Runtime, enabling direct execution of arbitrary operating system commands.
  6. The commands execute with the privileges of the GlassFish service account on the host system.

Scope and Impact

The CVSS 3.1 vector string for this vulnerability is:

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

While the attack requires high privileges (an authenticated administrator), it operates over the network with low complexity and requires no user interaction. The scope change (S:C) is particularly notable: it indicates that compromising the GlassFish application leads directly to a compromise of the underlying host environment. This results in high impacts to confidentiality, integrity, and availability.

The reporting researchers provided the Eclipse Foundation with comprehensive reproduction materials, including a functional proof of concept, an automated exploit script named exploitSSTI.py, a demonstration video, and a detailed list of vulnerable endpoints. The existence of these artifacts confirms the vulnerability is highly reproducible and lowers the barrier to exploitation.

Affected Systems and Versions

ComponentVersionStatus
Eclipse GlassFish7.1.0Confirmed vulnerable
Eclipse GlassFish8.0.0Confirmed vulnerable
Eclipse GlassFish8.0.1Under review by maintainers
glassfish jsftemplating< 4.2.0Vulnerable (core EL processing component)
glassfish jsftemplating4.2.0Contains the fix for EL expression restrictions
Eclipse GlassFish8.0.2Integrates the patched jsftemplating component

Organizations running GlassFish 7.1.0 or 8.0.0 are confirmed affected. Maintainers are currently verifying whether version 8.0.1 also requires inclusion in the affected list. The fix has been merged into glassfish jsftemplating 4.2.0, which restricts access to public static fields, calls to static methods, and all reflective access within EL expressions. Full remediation is scheduled for GlassFish 8.0.2, which integrates this patched component.

Until GlassFish 8.0.2 is deployed, organizations should consider disabling the Administration Console entirely if it is not required for daily operations. If the console must remain active, restrict network access to trusted management IP addresses and audit all authenticated administrator accounts.

Vendor Security History

The GlassFish Administration Console has been the subject of multiple prior security vulnerabilities:

CVEVulnerability TypeAffected Component
CVE-2024-10029Reflected cross site scriptingAdministration Console in version 7.0.15
CVE-2024-8646URL redirection to untrusted sitesVersions prior to 7.0.10
CVE-2017-3249Unauthenticated network compromiseOracle GlassFish Server via LDAP

The pattern of vulnerabilities in the administration interface reinforces the importance of treating the management plane as a high value target and applying strict network segmentation and access controls. The Eclipse Foundation's response to CVE-2026-2586 has been active, with maintainers successfully merging fixes into the templating component and scheduling the platform release.

References

Detect & fix
what others miss

Works with
  • GitHub
  • GitLab
  • Bitbucket
  • Azure DevOps Services
  • Jira
  • Linear
  • Slack
  • Security Compass
Security magnifying glass visualization