CVE-2026-39052 Overview
CVE-2026-39052 is a code injection vulnerability in Oinone Pamirs 7.0.0. The flaw resides in the ScriptRunner.run(String expression, String type, Map<String, Object> context) method, which evaluates attacker-controlled script expressions through the underlying script engine. The implementation lacks sandboxing and allowlist restrictions, allowing arbitrary script execution. The vulnerability is classified under [CWE-94] Improper Control of Generation of Code.
Critical Impact
An unauthenticated network attacker can submit crafted script expressions to the ScriptRunner endpoint and execute code within the application context, exposing confidentiality and integrity of application data.
Affected Products
- Oinone Pamirs 7.0.0
Discovery Timeline
- 2026-05-15 - CVE-2026-39052 published to NVD
- 2026-05-18 - Last updated in NVD database
Technical Details for CVE-2026-39052
Vulnerability Analysis
The vulnerability stems from unsafe evaluation of user-supplied input inside Oinone Pamirs. The ScriptRunner.run method accepts an expression string and a type indicator, then dispatches the expression to the corresponding script engine for evaluation. No allowlist filters which language constructs or APIs the expression may invoke. No sandbox isolates the engine from the host Java Virtual Machine (JVM).
Because the runner is reachable over the network without authentication, an attacker can craft script payloads that interact with platform classes, system properties, or reflection APIs. This pattern matches [CWE-94] Improper Control of Generation of Code, commonly known as code injection.
Root Cause
The root cause is direct evaluation of untrusted input by a scripting engine. The method trusts the caller to supply benign expressions. It performs no static validation of the abstract syntax tree, no class allowlist, and no SecurityManager or comparable boundary. Any client that can reach the endpoint controls the executed code.
Attack Vector
The attack vector is network-based and requires no privileges or user interaction. An attacker submits a request that reaches ScriptRunner.run, supplying an expression and matching type. The script engine parses and executes the expression in the application process. Public proof-of-concept material is available in the GitHub Gist PoC Repository. Source for the affected component is available in the GitHub Project - Oinone PAMIRS.
No verified exploit code is reproduced here. Refer to the linked references for technical details.
Detection Methods for CVE-2026-39052
Indicators of Compromise
- HTTP requests to Oinone Pamirs endpoints carrying parameters that resolve to ScriptRunner.run, particularly with non-trivial expression payloads.
- Child processes spawned by the Pamirs JVM that do not match the baseline of legitimate application behavior.
- Unexpected outbound network connections originating from the Pamirs application process.
Detection Strategies
- Inspect application logs for invocations of ScriptRunner.run and capture the type and length of the expression argument.
- Apply web application firewall rules that flag script keywords (java.lang.Runtime, ProcessBuilder, Reflect) in request bodies destined for Pamirs.
- Correlate process creation telemetry from the Java host against authenticated Pamirs activity to surface anomalous executions.
Monitoring Recommendations
- Enable verbose audit logging on the script execution subsystem and forward logs to a central analytics platform.
- Track file integrity on the Pamirs deployment directory to detect dropped artifacts after exploitation attempts.
- Monitor JVM resource consumption for spikes consistent with abusive script execution.
How to Mitigate CVE-2026-39052
Immediate Actions Required
- Restrict network access to Oinone Pamirs administrative and scripting endpoints to trusted management networks only.
- Require authentication and authorization checks in front of any handler that reaches ScriptRunner.run.
- Review application logs for prior invocations of the script runner and investigate any suspicious expressions.
Patch Information
No fixed version is identified in the published NVD record at the time of writing. Monitor the Oinone Changelog and the GitHub Project - Oinone PAMIRS for vendor updates that address CVE-2026-39052, and apply them once released.
Workarounds
- Disable the script execution feature in configurations where it is not required for business operations.
- Enforce an allowlist of permitted script expressions and reject any input outside that set at the application gateway.
- Run the Pamirs JVM with a minimal-privilege service account and apply operating system level egress filtering to limit blast radius.
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
