Executive Summary
A critical unauthenticated Remote Code Execution vulnerability (CVE-2026-2587) has been disclosed in GlassFish's server-side gadget handler. The vulnerability stems from unsafe evaluation of user-supplied Expression Language (EL) expressions within the server's XML template processing pipeline. An attacker who can supply a crafted .xml file to the vulnerable endpoint can achieve full remote code execution without prior authentication.
With a CVSS score of 9.6 (Critical), this vulnerability is rated more severely than its sibling CVE-2026-2586 due to the lack of an authentication requirement, significantly lowering the barrier for exploitation.
CVSS Score: 9.6 (Critical)
Vulnerability Overview
| Attribute | Value |
|---|---|
| CVE ID | CVE-2026-2587 |
| CVSS Score | 9.6 (Critical) |
| Type | Server-Side Template Injection (EL Injection) |
| Attack Vector | Network |
| Attack Complexity | Low |
| Privileges Required | None |
| User Interaction | None |
| Affected Component | GlassFish gadget handler / XML template renderer |
| Public Exploit | Not confirmed at publication |
| Published | 2026-05-19 |
Affected Products
| Product | Status |
|---|---|
| GlassFish (gadget handler / XML template rendering) | Vulnerable |
Technical Details
Vulnerability Root Cause
The GlassFish gadget handler processes .xml configuration files and evaluates user-supplied values within a context where Java Expression Language (EL) expressions are resolved at runtime. When an attacker can control the contents of such a file — or submit input that reaches the template renderer — embedded EL expressions like ${...} are evaluated by the Java EL engine prior to output, giving the attacker the ability to call arbitrary Java methods.
Expression Language injection in Java application servers can lead to full code execution because the EL context has access to the Java runtime, class loaders, and process execution facilities.
Attack Chain
1. Attacker identifies a GlassFish endpoint that processes XML input
or accepts file uploads handled by the gadget renderer
2. Attacker crafts a malicious .xml file containing an EL expression
designed to invoke OS command execution via Java Runtime or
similar class accessible from the EL context
3. The GlassFish gadget handler parses the XML and evaluates
the embedded EL expression
4. The Java EL engine resolves the expression, invoking the
attacker-controlled code path
5. Arbitrary commands execute with the privileges of the
GlassFish service account
6. Attacker achieves full remote code execution — no credentials requiredWhy CVSS 9.6?
The score reflects the complete absence of an authentication barrier (unlike CVE-2026-2586), combined with network accessibility, low complexity, no user interaction, and High impact across all three pillars (Confidentiality, Integrity, Availability). EL injection reaching OS command execution is considered one of the highest-severity classes of server-side vulnerability.
Impact Assessment
| Impact Area | Description |
|---|---|
| Unauthenticated RCE | Any network-reachable attacker can execute arbitrary code |
| Full Server Compromise | Access to all data and processes on the host at service account privilege |
| Credential Theft | Application secrets, database passwords, keystores, and tokens accessible |
| Persistence | Attackers can deploy backdoors or modify deployed applications |
| Supply Chain Risk | Compromised application servers can be used to tamper with application artifacts |
| Lateral Movement | Internal network access enables pivoting to databases and downstream systems |
Recommendations
Immediate Actions
- Isolate internet-facing GlassFish instances immediately — disable or firewall the vulnerable endpoint pending a vendor patch
- Apply available patches from Oracle or the Eclipse GlassFish project as soon as released
- Disable XML gadget rendering endpoints if not required by your deployment
- Review server logs for evidence of exploitation attempts — look for unusual request patterns to XML-handling endpoints
Network-Level Mitigations
- Block external access to GlassFish service ports at the perimeter
- Validate and restrict file upload functionality to trusted content types
- Deploy a Web Application Firewall (WAF) to detect EL injection patterns
in HTTP request bodies and parametersWAF Detection Pattern (Example)
# Detect EL expression injection attempts in HTTP parameters
\$\{[^}]*\}|\#\{[^}]*\}Detection Indicators
| Indicator | Description |
|---|---|
| EL expression syntax in HTTP POST bodies or query params | Active exploitation attempt |
| Unexpected Java process spawning child processes | Possible successful EL injection |
| Outbound connections from GlassFish service user | Possible post-exploitation C2 |
| New or modified files in GlassFish deployment directories | Possible backdoor deployment |
Relationship to CVE-2026-2586
Both CVE-2026-2586 and CVE-2026-2587 affect the GlassFish platform and were published on the same date, suggesting they were discovered as part of the same security research engagement. The key distinction:
| CVE-2026-2586 | CVE-2026-2587 | |
|---|---|---|
| Authentication | Required (low privilege) | Not required |
| CVSS | 9.1 | 9.6 |
| Vector | Admin Console HTTP request | XML template EL injection |
Organizations should treat both vulnerabilities as requiring immediate attention, but CVE-2026-2587 represents the higher priority due to its unauthenticated exploitability.
Post-Remediation Checklist
- Apply official patch — verify the GlassFish version post-update via
asadmin version - Audit XML processing endpoints — disable or sanitize all endpoints that accept user-controlled XML input
- Rotate all credentials on the affected server: database passwords, API keys, SSL certificates
- Scan for web shells or unauthorized files in GlassFish domain directories
- Review network egress logs for suspicious outbound connections during the vulnerability exposure window
- Update WAF rules to detect EL injection patterns in application traffic