GlassFish: authenticated RCE via admin console — CRITICAL (CVE-2026-2586)

Q: Is CVE-2026-2586 actively exploited?

No confirmed active exploitation of CVE-2026-2586 has been reported, but organizations should still patch proactively.

Q: How to fix CVE-2026-2586?

1. Patch immediately: upgrade org.glassfish.jsftemplating:jsftemplating to ≥4.2.0 and org.glassfish.main.admingui:console-common to ≥8.0.2. 2. Workaround if patching is delayed: disable or network-isolate the GlassFish Administration Console (default port 4848) — restrict access via firewall rules to management-only CIDR ranges. 3. Rotate all credentials with access to the admin console; treat any existing admin accounts as potentially compromised if the console was internet-accessible. 4. Detection: review GlassFish access logs for unusual POST requests to admin endpoints (particularly /management/domain/ paths) from unexpected source IPs; correlate with unexpected child processes spawned by the GlassFish JVM (e.g., bash, sh, cmd). 5. Audit all Maven dependencies for transitive pulls of the affected artifacts using `mvn dependency:tree | grep jsftemplating`.

Q: What systems are affected by CVE-2026-2586?

This vulnerability affects the following AI/ML architecture patterns: ML model serving platforms, AI admin dashboards, Jakarta EE / Java EE application servers, Enterprise AI platform backends.

Q: What is the CVSS score for CVE-2026-2586?

CVE-2026-2586 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.30%.

CISO Take

GlassFish Administration Console contains a code injection flaw (CWE-94) that lets any authenticated admin-panel user execute arbitrary OS commands as the service account — no further interaction required and scope extends beyond the application container (S:C). With 475 downstream dependents and a CVSS of 9.1, the blast radius across Java EE and Jakarta EE deployments running AI/ML management interfaces is significant; although EPSS sits at 0.003 (top 46%), the absence of a public exploit or KEV listing means opportunistic exploitation is the primary near-term risk, not targeted campaigns. Organizations running GlassFish 8.x as infrastructure for ML dashboards, model-serving admin consoles, or AI platform backends should patch immediately to jsftemplating 4.2.0 and console-common 8.0.2, and in the interim restrict admin-console network access to trusted management VLANs only.

Sources: NVD EPSS GitHub Advisory OpenSSF ATLAS

What is the risk?

CRITICAL for any GlassFish deployment reachable from a network where admin credentials could be compromised or are shared. The CVSS vector AV:N/AC:L/PR:H/UI:N/S:C signals low attack complexity once credentials are in hand, and the changed scope means a successful exploit breaks out of the application boundary — a particularly dangerous property in containerized AI serving environments where lateral movement to GPU nodes, model registries, or training infrastructure is feasible. Fourteen prior CVEs in the same package indicate a recurring vulnerability pattern. OpenSSF score of 7/10 and package risk score of 26/100 suggest moderate supply-chain hygiene but not a hardened project.

Attack Kill Chain

Credential Access

Adversary obtains GlassFish admin console credentials via spearphishing, credential reuse from a prior breach, or discovery of hardcoded credentials in configuration files.

AML.T0012

Exploitation

Adversary sends a crafted HTTP request to the GlassFish admin API, embedding a malicious template expression in a jsftemplating-processed parameter that triggers CWE-94 code injection.

AML.T0049

Command Execution

The injected expression is evaluated server-side, executing arbitrary OS commands as the GlassFish service account with access to model artifacts, environment variables, and GPU resources.

AML.T0050

Impact

Adversary exfiltrates ML model weights, API keys, and training data from the host filesystem, or establishes a reverse shell to pivot laterally into AI training and inference infrastructure.

AML.T0025

Credential Access

Adversary obtains GlassFish admin console credentials via spearphishing, credential reuse from a prior breach, or discovery of hardcoded credentials in configuration files.

AML.T0012

Exploitation

Adversary sends a crafted HTTP request to the GlassFish admin API, embedding a malicious template expression in a jsftemplating-processed parameter that triggers CWE-94 code injection.

AML.T0049

Command Execution

The injected expression is evaluated server-side, executing arbitrary OS commands as the GlassFish service account with access to model artifacts, environment variables, and GPU resources.

AML.T0050

Impact

Adversary exfiltrates ML model weights, API keys, and training data from the host filesystem, or establishes a reverse shell to pivot laterally into AI training and inference infrastructure.

AML.T0025

What systems are affected?

Package	Ecosystem	Vulnerable Range	Patched
org.glassfish.jsftemplating:jsftemplating	maven	< 4.2.0	`4.2.0`
5.7K OpenSSF 7.0 475 dependents Pushed 5d ago 88% patched ~3d to patch Full package profile →
org.glassfish.main.admingui:console-common	maven	< 8.0.2	`8.0.2`
5.7K OpenSSF 7.0 475 dependents Pushed 5d ago 88% patched ~3d to patch Full package profile →

Severity & Risk

CVSS 3.1

9.1 / 10

EPSS

0.3%

chance of exploitation in 30 days

Higher than 54% of all CVEs

Source: EPSS v3 — FIRST.org

Exploitation Status

No known exploitation

Sophistication

Moderate

Attack Surface

AV Network

AC Low

PR High

UI None

S Changed

C High

I High

A High

What should I do?

5 steps

Patch immediately: upgrade org.glassfish.jsftemplating:jsftemplating to ≥4.2.0 and org.glassfish.main.admingui:console-common to ≥8.0.2.
Workaround if patching is delayed: disable or network-isolate the GlassFish Administration Console (default port 4848) — restrict access via firewall rules to management-only CIDR ranges.
Rotate all credentials with access to the admin console; treat any existing admin accounts as potentially compromised if the console was internet-accessible.
Detection: review GlassFish access logs for unusual POST requests to admin endpoints (particularly /management/domain/ paths) from unexpected source IPs; correlate with unexpected child processes spawned by the GlassFish JVM (e.g., bash, sh, cmd).
Audit all Maven dependencies for transitive pulls of the affected artifacts using mvn dependency:tree | grep jsftemplating.

Classification

Code Execution Auth Bypass Supply Chain Framework Inference API AML.T0012 - Valid Accounts AML.T0025 - Exfiltration via Cyber Means AML.T0049 - Exploit Public-Facing Application AML.T0050 - Command and Scripting Interpreter AML.T0072 - Reverse Shell

Compliance Impact

This CVE is relevant to:

EU AI Act

Article 9 - Risk Management System

ISO 42001

A.6.1.2 - Information security roles and responsibilities A.8.8 - Management of technical vulnerabilities

NIST AI RMF

GOVERN 6.1 - Policies and procedures for vulnerability management

OWASP LLM Top 10

LLM03 - Supply Chain Vulnerabilities

Frequently Asked Questions

What is CVE-2026-2586?

GlassFish Administration Console contains a code injection flaw (CWE-94) that lets any authenticated admin-panel user execute arbitrary OS commands as the service account — no further interaction required and scope extends beyond the application container (S:C). With 475 downstream dependents and a CVSS of 9.1, the blast radius across Java EE and Jakarta EE deployments running AI/ML management interfaces is significant; although EPSS sits at 0.003 (top 46%), the absence of a public exploit or KEV listing means opportunistic exploitation is the primary near-term risk, not targeted campaigns. Organizations running GlassFish 8.x as infrastructure for ML dashboards, model-serving admin consoles, or AI platform backends should patch immediately to jsftemplating 4.2.0 and console-common 8.0.2, and in the interim restrict admin-console network access to trusted management VLANs only.

Is CVE-2026-2586 actively exploited?

No confirmed active exploitation of CVE-2026-2586 has been reported, but organizations should still patch proactively.

How to fix CVE-2026-2586?

1. Patch immediately: upgrade org.glassfish.jsftemplating:jsftemplating to ≥4.2.0 and org.glassfish.main.admingui:console-common to ≥8.0.2. 2. Workaround if patching is delayed: disable or network-isolate the GlassFish Administration Console (default port 4848) — restrict access via firewall rules to management-only CIDR ranges. 3. Rotate all credentials with access to the admin console; treat any existing admin accounts as potentially compromised if the console was internet-accessible. 4. Detection: review GlassFish access logs for unusual POST requests to admin endpoints (particularly /management/domain/ paths) from unexpected source IPs; correlate with unexpected child processes spawned by the GlassFish JVM (e.g., bash, sh, cmd). 5. Audit all Maven dependencies for transitive pulls of the affected artifacts using `mvn dependency:tree | grep jsftemplating`.

What systems are affected by CVE-2026-2586?

This vulnerability affects the following AI/ML architecture patterns: ML model serving platforms, AI admin dashboards, Jakarta EE / Java EE application servers, Enterprise AI platform backends.

What is the CVSS score for CVE-2026-2586?

CVE-2026-2586 has a CVSS v3.1 base score of 9.1 (CRITICAL). The EPSS exploitation probability is 0.30%.

AI Security Impact

Affected AI Architectures

ML model serving platformsAI admin dashboardsJakarta EE / Java EE application serversEnterprise AI platform backends

MITRE ATLAS Techniques

AML.T0012 Valid Accounts

AML.T0025 Exfiltration via Cyber Means

AML.T0049 Exploit Public-Facing Application

AML.T0050 Command and Scripting Interpreter

AML.T0072 Reverse Shell

Compliance Controls Affected

EU AI Act: Article 9

ISO 42001: A.6.1.2, A.8.8

NIST AI RMF: GOVERN 6.1

OWASP LLM Top 10: LLM03

Technical Details

Original Advisory

An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console. A user with access to the panel can send crafted requests that allow the execution of arbitrary operating system commands with the privileges of the application service user.

Exploitation Scenario

An adversary targeting an AI platform team obtains admin credentials to the GlassFish console through spearphishing or credential reuse from a prior breach. They craft a malicious HTTP request to an admin API endpoint handled by jsftemplating that embeds an OS command payload in a template expression (e.g., `${Runtime.getRuntime().exec(...)}`). The GlassFish service — running with access to GPU scheduling scripts, model artifact directories, and internal API tokens stored in environment variables — executes the command, returning output in the HTTP response or establishing an outbound reverse shell. The attacker exfiltrates model weights and inference API keys, then plants a backdoor in a JAR on the classpath to maintain persistence across restarts.