Apache Struts Critical RCE via OGNL Injection Returns

Executive Summary

The Apache Software Foundation has disclosed CVE-2026-3098, a critical OGNL (Object-Graph Navigation Language) injection vulnerability in Apache Struts. The flaw allows unauthenticated remote code execution on servers running vulnerable Struts applications and is reminiscent of CVE-2017-5638, the vulnerability exploited in the infamous 2017 Equifax data breach.

CVSS Score: 9.8 (Critical)

CISA has added this vulnerability to the Known Exploited Vulnerabilities catalog with a February 20, 2026 remediation deadline for federal agencies.

Vulnerability Overview

Root Cause

The vulnerability exists in the Struts file upload handling when using the Jakarta multipart parser. Insufficient sanitization of the Content-Disposition header in multipart requests allows OGNL expression injection, enabling server-side code execution.

Attack Chain

1. Attacker identifies web application running Apache Struts
2. Sends multipart HTTP request with malicious Content-Disposition header
3. OGNL expression embedded in header bypasses input validation
4. Struts evaluates the OGNL expression on the server
5. Arbitrary Java code executes with application server privileges
6. Attacker achieves remote code execution

Technical Details

Affected Versions

Exploitation

The vulnerability can be exploited with a single HTTP request containing a crafted OGNL expression in the Content-Disposition filename of a multipart form upload. The OGNL payload:

1. Overrides the default member access policy to gain reflection access
2. Clears Struts' excluded package/class security lists
3. Uses java.lang.ProcessBuilder to execute arbitrary OS commands
4. Streams command output back to the HTTP response

Full exploit payload redacted — see the Apache Struts security bulletin and NVD entry for technical details. The attack requires only a single unauthenticated POST request to any Struts action that processes file uploads.

Identifying Affected Systems

How to Detect Struts Applications

# Check for common Struts indicators
# .action or .do URL extensions
# Struts error pages with stack traces
# X-Powered-By headers mentioning Struts
 
# Scan web applications for Struts version
# Check WEB-INF/lib/ for struts2-core-*.jar

Common Deployment Patterns

Immediate Remediation

Option 1: Upgrade Struts (Recommended)

Update to the fixed version:

<!-- Maven pom.xml -->
<dependency>
    <groupId>org.apache.struts</groupId>
    <artifactId>struts2-core</artifactId>
    <version>6.4.1</version>
</dependency>

Option 2: WAF Rules (Temporary Mitigation)

Deploy WAF rules to block OGNL injection patterns:

# ModSecurity Rule
SecRule REQUEST_HEADERS:Content-Disposition "@rx (%\{|#[_a-zA-Z])" \
    "id:2026309801,phase:1,deny,status:403,\
    msg:'Potential OGNL Injection in Content-Disposition'"

Option 3: Disable File Upload

If file upload is not required:

<!-- struts.xml -->
<constant name="struts.multipart.maxSize" value="0" />

Detection Rules

SIEM Query (Splunk)

index=web sourcetype=access_combined
| where match(content_disposition, "(%\{|#[_a-zA-Z]|ognl|OgnlContext|memberAccess)")
| stats count by src_ip, dest, uri_path
| where count > 3

IDS/IPS Signature

alert http any any -> any any (
  msg:"CVE-2026-3098 Apache Struts OGNL Injection";
  flow:to_server,established;
  content:"Content-Disposition"; http_header;
  pcre:"/Content-Disposition[^;]*(%\{|#[a-z_])/i";
  sid:2026309802;
  rev:1;
)

Historical Context

This vulnerability is particularly concerning given the history of Struts OGNL injection flaws:

Organizations that were affected by previous Struts vulnerabilities should treat this as a high-priority emergency.

References

• Apache Struts Security Bulletin S2-067
• CISA KEV Catalog
• NIST NVD — CVE-2026-3098

Related Reading

• BeyondTrust Remote Support Pre-Authentication RCE Under
• CVE-2025-68613: n8n Remote Code Execution via Improper
• Critical Fortinet FortiClientEMS SQL Injection