Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
5.3
Emissary Configuration API Allows Access to Sensitive Files
CVE-2026-35583
GHSA-hxf2-gm22-7vcm
Summary
Prior to version 8.39.0, the Emissary configuration API had a weakness that could allow attackers to access sensitive files. This was fixed in version 8.39.0. To protect your system, make sure you're running the latest version of Emissary.
What to do
- Update gov.nsa.emissary:emissary to version 8.39.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | gov.nsa.emissary:emissary | <= 8.39.0 | 8.39.0 |
Original title
Emissary has a Path Traversal via Blacklist Bypass in Configuration API
Original description
## Summary
The configuration API endpoint (`/api/configuration/{name}`) validated
configuration names using a blacklist approach that checked for `\`, `/`, `..`,
and trailing `.`. This could potentially be bypassed using URL-encoded variants,
double-encoding, or Unicode normalization to achieve path traversal and read
configuration files outside the intended directory.
## Details
### Vulnerable code — `Configs.java` (line 126)
```java
protected static String validate(String config) {
if (StringUtils.isBlank(config) || config.contains("\\") || config.contains("/")
|| config.contains("..") || config.endsWith(".")) {
throw new IllegalArgumentException("Invalid config name: " + config);
}
return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);
}
```
### Weakness
The blacklist blocked literal `\`, `/`, `..`, and trailing `.` but could
potentially miss:
- URL-encoded variants (`%2e%2e%2f`) if decoded after validation
- Double-encoded sequences (`%252e%252e%252f`)
- Unicode normalization bypasses
- The approach relies on string matching rather than canonical path resolution
### Impact
- Potential read access to configuration files outside the intended config
directory
- Information disclosure of sensitive configuration values
## Remediation
Fixed in [PR #1292](https://github.com/NationalSecurityAgency/emissary/pull/1292),
merged into release 8.39.0.
The blacklist was replaced with an allowlist regex that only permits characters
matching `^[a-zA-Z0-9._-]+$`:
```java
protected static final Pattern VALID_CONFIG_NAME = Pattern.compile("^[a-zA-Z0-9._-]+$");
protected static String validate(String config) {
if (!VALID_CONFIG_NAME.matcher(config).matches() || config.contains("..") || config.endsWith(".")) {
throw new IllegalArgumentException("Invalid config name: " + config);
}
return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);
}
```
This ensures that any character outside the allowed set — including encoded
slashes, percent signs, and Unicode sequences — is rejected before the config
name reaches the filesystem.
Tests were added to verify that URL-encoded (`%2e%2e%2f`), double-encoded
(`%252e%252e%252f`), and Unicode (`U+002F`) traversal attempts are blocked.
## Workarounds
If upgrading is not immediately possible, deploy a reverse proxy or WAF rule
that rejects requests to `/api/configuration/` containing encoded path traversal
sequences.
## References
- [PR #1292 — validate config name with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1292)
- Original report: GHSA-wjqm-p579-x3ww
The configuration API endpoint (`/api/configuration/{name}`) validated
configuration names using a blacklist approach that checked for `\`, `/`, `..`,
and trailing `.`. This could potentially be bypassed using URL-encoded variants,
double-encoding, or Unicode normalization to achieve path traversal and read
configuration files outside the intended directory.
## Details
### Vulnerable code — `Configs.java` (line 126)
```java
protected static String validate(String config) {
if (StringUtils.isBlank(config) || config.contains("\\") || config.contains("/")
|| config.contains("..") || config.endsWith(".")) {
throw new IllegalArgumentException("Invalid config name: " + config);
}
return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);
}
```
### Weakness
The blacklist blocked literal `\`, `/`, `..`, and trailing `.` but could
potentially miss:
- URL-encoded variants (`%2e%2e%2f`) if decoded after validation
- Double-encoded sequences (`%252e%252e%252f`)
- Unicode normalization bypasses
- The approach relies on string matching rather than canonical path resolution
### Impact
- Potential read access to configuration files outside the intended config
directory
- Information disclosure of sensitive configuration values
## Remediation
Fixed in [PR #1292](https://github.com/NationalSecurityAgency/emissary/pull/1292),
merged into release 8.39.0.
The blacklist was replaced with an allowlist regex that only permits characters
matching `^[a-zA-Z0-9._-]+$`:
```java
protected static final Pattern VALID_CONFIG_NAME = Pattern.compile("^[a-zA-Z0-9._-]+$");
protected static String validate(String config) {
if (!VALID_CONFIG_NAME.matcher(config).matches() || config.contains("..") || config.endsWith(".")) {
throw new IllegalArgumentException("Invalid config name: " + config);
}
return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING);
}
```
This ensures that any character outside the allowed set — including encoded
slashes, percent signs, and Unicode sequences — is rejected before the config
name reaches the filesystem.
Tests were added to verify that URL-encoded (`%2e%2e%2f`), double-encoded
(`%252e%252e%252f`), and Unicode (`U+002F`) traversal attempts are blocked.
## Workarounds
If upgrading is not immediately possible, deploy a reverse proxy or WAF rule
that rejects requests to `/api/configuration/` containing encoded path traversal
sequences.
## References
- [PR #1292 — validate config name with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1292)
- Original report: GHSA-wjqm-p579-x3ww
nvd CVSS3.1
5.3
Vulnerability type
CWE-22
Path Traversal
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 7 Apr 2026