External risk intelligence

XXL-Job Admin CSRF Vulnerability Allows Unauthorized Script Modifications

CVE advisorySeverity: CRITICAL (CVSS 9.1)

CVE-2026-26718

The vulnerability affects a web application administration console. Such management and job scheduling interfaces are frequently deployed as internet-facing or externally reachable services to facilitate remote administration and monitoring, increasing the likelihood of public network exposure.

Cross-site Request Forgery

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical Cross-Site Request Forgery vulnerability has been identified in the xxl-job-admin web application. This issue could allow an attacker to make unauthorized changes to system scripts, potentially impacting the integrity of scheduled tasks. The main concern is confirming whether this specific application is in use and exposed.

  • Unrestricted script changes possible via web application.
  • Management interfaces are often internet-facing.
  • Confirm relevance and exposure of the admin tool.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by tricking an authenticated user into visiting a malicious website. The xxl-job-admin web application's affected endpoint does not adequately check for a valid CSRF token, allowing an attacker to force the user's browser to send a request that modifies Glue IDE shell scripts without the user's explicit consent. This could lead to unauthorized script alterations.

  • No user authentication needed.
  • Triggers through crafted web requests.
  • Unauthorized script modifications.

Live Threat

Current exploitation, exposure, and threat context

This vulnerability could allow an unauthenticated attacker to modify Glue IDE shell scripts in the xxl-job-admin web application. This could occur when a user visits a malicious website while logged into the administrative interface, triggering unauthorized script modifications without the user's explicit consent.

  • Unauthorized script modifications.
  • Via crafted web requests.
  • Disrupt job execution.

Operational Fix

Recommended remediation, mitigation, and detection steps

The xxl-job-admin web application's CSRF vulnerability, which allows unauthorized modification of Glue IDE shell scripts, requires immediate attention from teams managing the application or its underlying infrastructure. The first step is to identify all instances of this application, determine their exposure and business criticality, and then assign ownership for remediation planning.

  • Application and infrastructure teams own the issue.
  • Verify reachability and business criticality.
  • Plan remediation based on confirmed risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is xxl-job-admin?

xxl-job-admin is a web-based administration console used for managing and monitoring distributed job scheduling. It serves as a centralized interface where administrators configure task executions, maintain logs, and manage system scripts, including those used in the Glue IDE for job processing.

What does CVE-2026-26718 mean?

This vulnerability is a Cross-Site Request Forgery (CSRF), categorized as CWE-352. It means the application fails to verify that requests sent to modify scripts are intentional. An attacker can manipulate a user's browser to perform unauthorized script changes within the administration console without the user's consent.

How does an attacker trigger this vulnerability?

The issue is triggered when an authenticated user visits a malicious website while logged into the xxl-job-admin interface. The browser then sends unauthorized requests to the application. Requests made by a user who is not logged into the console do not trigger the bug, as the vulnerability relies on an active session to authorize the unwanted changes.

Do I need to worry if my instance is internal?

Halo Surface Signal indicates that management interfaces like xxl-job-admin are often deployed as internet-facing services. While internet-exposed instances are at higher risk, any user with access to the console can be targeted. You should prioritize assessing the reachability of your specific deployment to determine its risk profile.

When should I take action on this vulnerability?

You should begin by identifying all instances of xxl-job-admin within your environment. Once you have a complete list, verify the business criticality and network reachability of each instance. Use this information to assign ownership and begin remediation planning to protect your job scheduling infrastructure.

References