CVE-2026-2587 Overview
CVE-2026-2587 is a Remote Code Execution (RCE) vulnerability in the server-side template rendering mechanism used by the Eclipse Glassfish gadget handler. The application processes .xml files and evaluates user-supplied values inside a context where Expression Language (EL) expressions are parsed without sanitization or escaping. Researchers confirmed server-side EL evaluation by injecting #{7*7} and observing the server respond with 49. Successful exploitation enables an attacker to read or modify data, run arbitrary commands, establish persistence, and move laterally across the host. The flaw is tracked under CWE-917: Improper Neutralization of Special Elements used in an Expression Language Statement.
Critical Impact
Remote attackers can achieve full host compromise of Eclipse Glassfish servers through unauthenticated EL injection, leading to arbitrary command execution and lateral movement.
Affected Products
- Eclipse Glassfish (gadget handler component)
- Application deployments that render .xml gadget templates
- Environments exposing the Glassfish gadget endpoint to untrusted users
Discovery Timeline
- 2026-05-19 - CVE-2026-2587 published to NVD
- 2026-05-21 - Last updated in NVD database
Technical Details for CVE-2026-2587
Vulnerability Analysis
The Glassfish gadget handler parses .xml gadget definition files and renders their content through a server-side template engine. User-controlled values flow into a rendering context where Jakarta Expression Language (EL) syntax is interpreted as executable expressions. Because the handler does not escape or neutralize EL delimiters, an attacker can embed expressions that the server evaluates at runtime.
The proof-of-concept payload #{7*7} returns 49, demonstrating that arithmetic expressions reach the EL evaluator. Attackers can extend this primitive to invoke arbitrary Java methods, instantiate classes, and call Runtime.exec to execute operating system commands. Exploitation requires user interaction, but no authentication, and the impact crosses a trust boundary as defined by the scope change in the CVSS vector.
Root Cause
The root cause is improper neutralization of special elements used in an Expression Language statement [CWE-917]. The gadget handler concatenates untrusted input into a template string that is later passed to an EL processor instead of treating the input as a literal data value. Without contextual escaping or a strict allowlist, EL delimiters such as #{...} and ${...} retain their special meaning and trigger expression evaluation.
Attack Vector
The attack is delivered over the network. An attacker crafts a malicious .xml gadget or supplies input fields rendered through the gadget handler. When a victim or a backend process triggers rendering, the embedded EL expression executes inside the Glassfish JVM context. From there, the attacker can read files, modify configuration, install backdoors, and pivot to other systems reachable from the server.
No verified public exploit code is available at the time of writing. Technical detail is published in the Eclipse CVE Assignment Issue.
Detection Methods for CVE-2026-2587
Indicators of Compromise
- HTTP requests to gadget rendering endpoints containing #{ or ${ sequences in parameters, headers, or uploaded .xml content
- Unexpected child processes spawned by the Glassfish Java process, such as sh, bash, cmd.exe, powershell.exe, or curl
- Outbound connections from the Glassfish host to unfamiliar IP addresses shortly after gadget-related requests
- New or modified files under Glassfish deployment directories, including unexpected .xml, .jsp, or .war artifacts
Detection Strategies
- Inspect web access logs for EL syntax patterns (#{, ${, T(, Runtime, ProcessBuilder) targeting gadget URLs
- Apply web application firewall rules that block EL delimiter sequences in request bodies and query parameters destined for Glassfish
- Correlate JVM process lineage so child processes of the Glassfish server trigger high-severity alerts in the EDR pipeline
Monitoring Recommendations
- Enable verbose logging on the Glassfish gadget handler and forward logs to a central SIEM for retention and search
- Baseline normal outbound connections from Glassfish hosts and alert on deviations such as connections to non-corporate destinations
- Monitor filesystem changes in webapp and config directories using file integrity monitoring
How to Mitigate CVE-2026-2587
Immediate Actions Required
- Restrict network access to the Glassfish gadget handler endpoints using firewall rules or reverse proxy allowlists
- Disable the gadget handler in deployments that do not require it until a vendor patch is applied
- Rotate credentials, API keys, and secrets stored on or accessible from affected Glassfish hosts as a precaution
- Review web server and application logs for prior exploitation attempts containing EL syntax
Patch Information
No fixed version is listed in the NVD record at the time of publication. Track the Eclipse CVE Assignment Issue for the official advisory and patched release. Apply the vendor update as soon as it becomes available and validate that the gadget handler rejects EL delimiters in user-supplied content.
Workarounds
- Place Glassfish behind a reverse proxy or WAF that strips or blocks #{ and ${ sequences in requests to gadget endpoints
- Run the Glassfish process under a low-privilege service account with no shell access and restricted filesystem permissions
- Apply egress filtering so the Glassfish host cannot initiate arbitrary outbound connections to the internet
# Example reverse proxy filter to block EL delimiters on gadget endpoints
location /gadgets/ {
if ($request_uri ~* "(\#\{|\$\{)") { return 403; }
if ($request_body ~* "(\#\{|\$\{)") { return 403; }
proxy_pass http://glassfish_backend;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
