Emissary Workflow Engine Vulnerable to OS Command Injection
The National Vulnerability Database (NVD) reports a critical OS command injection vulnerability, CVE-2026-35582, affecting Emissary, a P2P data-driven workflow engine. Specifically, versions 8.42.0 and below are impacted. The flaw resides in Executrix.getCommand(), which insecurely interpolates temporary file paths into /bin/sh -c shell commands. This allows an attacker to inject arbitrary shell metacharacters via the IN_FILE_ENDING and OUT_FILE_ENDING configuration keys.
The critical aspect here is that the framework already sanitizes placeName but completely misses these file ending values. An attacker only needs authorship of a .cfg file; no runtime privileges, API access, or network access are required. This is a fundamental framework-level defect, meaning downstream implementers have no safe mitigation beyond patching. The NVD assigns a CVSS score of 8.8 (High).
For defenders, this is a clear-cut case: if you’re running Emissary, you’re exposed. The attacker’s calculus is simple: gain configuration access, inject malicious commands, and achieve OS-level execution within the JVM process’s security context. This is a direct path to system compromise, data exfiltration, or further lateral movement.
What This Means For You
- If your organization uses Emissary versions 8.42.0 or below, you are directly exposed to OS command injection. This vulnerability requires immediate attention. Patch to version 8.43.0 without delay. Audit your Emissary configurations for any unauthorized modifications or suspicious `IN_FILE_ENDING` or `OUT_FILE_ENDING` values.
Related ATT&CK Techniques
🛡️ Detection Rules
2 rules · 6 SIEM formats2 detection rules auto-generated for this incident, mapped to MITRE ATT&CK. Sigma YAML is free — export to any SIEM format via the Intel Bot.
CVE-2026-35582 - Emissary Workflow Engine OS Command Injection via File Endings
Indicators of Compromise
| ID | Type | Indicator |
|---|---|---|
| CVE-2026-35582 | Command Injection | Emissary workflow engine versions 8.42.0 and below |
| CVE-2026-35582 | Command Injection | Vulnerable component: Executrix.getCommand() |
| CVE-2026-35582 | Command Injection | Vulnerable configuration keys: IN_FILE_ENDING, OUT_FILE_ENDING |
Written by SCW Vulnerability Desk
Source & Attribution
| Source Platform | NVD |
| Channel | National Vulnerability Database |
| Published | April 18, 2026 at 05:16 UTC |
This content was AI-rewritten and enriched by Shimi's Cyber World based on the original source. All intellectual property rights remain with the original author.
Believe this infringes your rights? Submit a takedown request.
Related Posts
Critical Heap Overflow in SAIL TGA Codec (CVE-2026-40494)
CVE-2026-40494 — SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 45d48d1f2e8e0d73e80bc1fd5310cb57f4547302, the...
Critical Heap Overflow in SAIL Image Library (CVE-2026-40493)
CVE-2026-40493 — SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit c930284445ea3ff94451ccd7a57c999eca3bc979, the...
Critical SAIL Library Bug: Memory Corruption Threat in Image Processing
CVE-2026-40492 — SAIL is a cross-platform library for loading and saving images with support for animation, metadata, and ICC profiles. Prior to commit 36aa5c7ec8a2bb35f6fb867a1177a6f141156b02, the...