External risk intelligence

GlassFish admin console lets attackers run commands on your server

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-2586

An internal attacker with valid credentials can misuse the GlassFish administration console to run unauthorized system commands. This could allow them to gain full control over the server, leading to compromised data and potential long-term access to critical business systems.

2Halo Surface Signal

Code Injection

Eclipse Glassfish

before 8.0.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-2586

The vulnerability exists in an administration console, which is an internal management interface. These services are typically restricted to authorized network segments or VPNs and are not designed for public internet exposure. While they are network-reachable, they are generally protected by internal controls, making direct public internet access an uncommon or non-standard deployment.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

An authenticated Remote Code Execution vulnerability exists in GlassFish's Administration Console. This means someone with existing access to the console can send specially crafted requests to run operating system commands on the server, with the same permissions as the GlassFish service. This warrants attention because it allows for significant compromise of the affected system.

  • Can execute arbitrary commands.
  • Impacts server security and data.
  • Requires prior access to the console.

Attack Path

How an attacker could exploit the issue

An attacker with existing administrative access to the GlassFish Administration Console can exploit this flaw to execute arbitrary commands on the server. This is achieved by sending specially crafted requests through the console, leveraging the vulnerability to bypass normal security checks and run malicious code with the application's service user privileges.

  • Requires administrative access.
  • Targets the administration console.
  • Server command execution is the goal.

Live Threat

Current exploitation, exposure, and threat context

Attackers may find this RCE vulnerability in GlassFish's administration console appealing due to its potential for full system compromise. However, its requirement for prior authentication and targeting of an administrative interface suggests it would likely be exploited in a post-compromise scenario or against systems with weak internal access controls rather than for widespread, unauthenticated public exploitation. The critical severity rating is tempered by the authentication prerequisite and the internal-facing nature of the vulnerable component.

  • Exploitation requires authentication.
  • Targeting administrative interfaces.
  • KEV list is not populated.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize isolating or taking offline any GlassFish instances accessible to unauthenticated users due to a critical RCE vulnerability in the administration console. Authenticated users can execute arbitrary OS commands, posing a significant risk.

  • Identify and isolate affected GlassFish administration consoles.
  • Block all inbound traffic to exposed consoles if isolation is impossible.
  • Monitor logs for signs of command execution attempts.

Frequently asked questions

What is Eclipse GlassFish and its primary function in enterprise environments?

Eclipse GlassFish is an open-source application server designed for building and deploying Java enterprise applications. It provides a robust framework for developing scalable, secure, and complex web services and applications.

How does CVE-2026-2586 enable command execution and what weakness class is associated with it?

CVE-2026-2586 is a Remote Code Execution vulnerability (CWE-94) that allows an authenticated attacker to send specially crafted requests to the GlassFish Administration Console. This can lead to the execution of arbitrary operating system commands with the privileges of the GlassFish service user.

What are the conditions necessary for an attacker to trigger the CVE-2026-2586 vulnerability?

Triggering CVE-2026-2586 requires an attacker to have prior authenticated access to the GlassFish Administration Console. Once authenticated, the attacker can send crafted requests to exploit the vulnerability, aiming to execute commands on the server.

What is the significance of the Halo Surface Signal's 'Unlikely' rating for CVE-2026-2586, and how does it relate to the...

The Halo Surface Signal rates CVE-2026-2586 as 'Unlikely' to be exploited externally because the vulnerability resides within an administration console, which is typically an internal management interface. Such interfaces are usually protected by internal network controls and are not directly exposed to the public internet, limiting direct exploitation pathways.

What practical steps should be taken to respond to the GlassFish administration console RCE vulnerability?

To address this critical RCE vulnerability, organizations should prioritize isolating GlassFish instances accessible to unauthenticated users. If isolation is not feasible, blocking all inbound traffic to exposed administration consoles is recommended. Additionally, continuous monitoring of logs for any command execution attempts is crucial for detecting potential exploitation.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified