External risk intelligence

Glassfish RCE lets attackers control your systems and steal data

CVE advisorySeverity: CRITICAL (CVSS 9.6)

CVE-2026-2587

A critical vulnerability in Glassfish allows attackers to take complete control of your systems by sending malicious files, potentially leading to data theft. This is a serious risk because the affected system is often exposed to the internet.

4Halo Surface Signal

Remote Code Execution

Eclipse Glassfish

before 8.0.2

External exposure likelihood

Halo Surface Signal score for CVE-2026-2587

Glassfish is a widely used Java application server that hosts web applications and APIs. These services are commonly deployed in internet-facing configurations to process user-supplied input, such as the XML files described, making the vulnerable rendering mechanism reachable from the public internet in typical web-tier deployments.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability in Glassfish allows remote attackers to execute arbitrary code by sending specially crafted XML files. This happens because user-supplied data is processed without proper checks within a server-side template rendering feature, potentially leading to complete system compromise.

  • Attackers can take full control of affected servers.
  • This could allow access to sensitive data or running unauthorized commands.
  • The vulnerability is reachable from the internet.

Attack Path

How an attacker could exploit the issue

An unauthenticated attacker can abuse this vulnerability by sending specially crafted XML files to a vulnerable Glassfish server. The server's template rendering mechanism will evaluate malicious Expression Language (EL) expressions within these files, allowing the attacker to execute arbitrary commands on the underlying host. This could lead to full system compromise, data theft, or the establishment of persistent access.

  • Unauthenticated network access required.
  • Targets XML file processing.
  • Requires user interaction for initial exploit path.

Live Threat

Current exploitation, exposure, and threat context

This critical RCE vulnerability in Glassfish's template rendering mechanism is highly attractive to attackers. The ability to execute arbitrary code on a server, especially without authentication and with network reachability, offers a direct path to full system compromise. Attackers favor such vulnerabilities because they bypass typical security controls and provide immediate, high-impact access for data theft, further network penetration, or deploying ransomware.

  • Public exploit code likely to emerge.
  • Server-side template injection is a known attack pattern.
  • No indication of exploitation yet.

Priority actions

Operational Fix

Recommended remediation, mitigation, and detection steps

Prioritize immediate containment of Glassfish services processing XML due to critical RCE. Actively exploited vulnerabilities require swift action to prevent host compromise, data breaches, and lateral movement.

  • Isolate affected Glassfish servers.
  • Block XML file uploads and processing.
  • Monitor network traffic for EL injection attempts.

Frequently asked questions

What is Eclipse Glassfish and what is it used for?

Eclipse Glassfish is an open-source application server used for developing and deploying Java-based web applications and services. It provides a robust platform for running enterprise-level applications, often handling complex business logic and data processing.

What type of vulnerability is CVE-2026-2587 in Glassfish?

CVE-2026-2587 is a critical Remote Code Execution (RCE) vulnerability classified as CWE-917, which relates to improper neutralization of special elements used in an expression language (EL) construct. This means attackers can inject malicious expressions to run unauthorized code.

How can an attacker exploit the Glassfish vulnerability?

An attacker can exploit this by sending specially crafted XML files to a vulnerable Glassfish server. These files contain malicious Expression Language (EL) expressions that are evaluated by the server's template rendering mechanism without proper sanitization, leading to code execution.

What are the potential impacts of this Glassfish RCE vulnerability?

Successful exploitation allows a remote attacker to gain full control of the underlying host. This can lead to reading or modifying data, executing arbitrary commands, establishing persistence, and moving laterally within the network.

What practical steps should be taken regarding this Glassfish vulnerability?

It is recommended to isolate affected Glassfish servers, block XML file uploads and processing, and monitor network traffic for signs of Expression Language injection attempts. Swift action is crucial to prevent host compromise and data breaches.

References

Sources and related resources

Primary sources: NVD, CVE.org.

NVDPublished Modified