{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35581", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.827Z", "datePublished": "2026-04-07T15:56:55.838Z", "dateUpdated": "2026-04-08T14:57:47.316Z"}, "containers": {"cna": {"title": "Emissary has a Command Injection via PLACE_NAME Configuration in Executrix", "problemTypes": [{"descriptions": [{"cweId": "CWE-78", "lang": "en", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}}], "references": [{"name": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v"}], "affected": [{"vendor": "NationalSecurityAgency", "product": "emissary", "versions": [{"version": "< 8.39.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:56:55.838Z"}, "descriptions": [{"lang": "en", "value": "Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values \u2014 including the PLACE_NAME parameter \u2014 with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0."}], "source": {"advisory": "GHSA-6c37-7w4p-jg9v", "discovery": "UNKNOWN"}}, "adp": [{"metrics": [{"other": {"type": "ssvc", "content": {"timestamp": "2026-04-08T14:57:38.566917Z", "id": "CVE-2026-35581", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:57:47.316Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CISA ADP Vulnrichment", "metrics": [{"other": {"type": "ssvc", "content": {"id": "CVE-2026-35581", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "total"}], "version": "2.0.3", "timestamp": "2026-04-08T14:57:38.566917Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-08T14:57:43.213Z"}}], "cna": {"title": "Emissary has a Command Injection via PLACE_NAME Configuration in Executrix", "source": {"advisory": "GHSA-6c37-7w4p-jg9v", "discovery": "UNKNOWN"}, "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 7.2, "attackVector": "NETWORK", "baseSeverity": "HIGH", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "integrityImpact": "HIGH", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "HIGH", "confidentialityImpact": "HIGH"}}], "affected": [{"vendor": "NationalSecurityAgency", "product": "emissary", "versions": [{"status": "affected", "version": "< 8.39.0"}]}], "references": [{"url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v", "name": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v", "tags": ["x_refsource_CONFIRM"]}], "descriptions": [{"lang": "en", "value": "Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values \u2014 including the PLACE_NAME parameter \u2014 with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0."}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-78", "description": "CWE-78: Improper Neutralization of Special Elements used in an OS Command ('OS Command Injection')"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:56:55.838Z"}}}, "cveMetadata": {"cveId": "CVE-2026-35581", "state": "PUBLISHED", "dateUpdated": "2026-04-08T14:57:47.316Z", "dateReserved": "2026-04-03T20:09:02.827Z", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "datePublished": "2026-04-07T15:56:55.838Z", "assignerShortName": "GitHub_M"}, "dataVersion": "5.2"}

{"configurations": [{"nodes": [{"cpeMatch": [{"criteria": "cpe:2.3:a:nsa:emissary:*:*:*:*:*:*:*:*", "matchCriteriaId": "9EC86D6D-EB58-4DE4-B88C-C562B33281A0", "versionEndIncluding": "8.38.0", "vulnerable": true}], "negate": false, "operator": "OR"}]}], "cveTags": [], "descriptions": [{"lang": "en", "value": "Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values \u2014 including the PLACE_NAME parameter \u2014 with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters (;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0."}], "id": "CVE-2026-35581", "lastModified": "2026-04-16T18:00:24.503", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 7.2, "baseSeverity": "HIGH", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "privilegesRequired": "HIGH", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H", "version": "3.1"}, "exploitabilityScore": 1.2, "impactScore": 5.9, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:33.493", "references": [{"source": "security-advisories@github.com", "tags": ["Exploit", "Vendor Advisory"], "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Analyzed", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-78"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.39.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "emissary", "source": "cna", "vendor": "NationalSecurityAgency"}, "product": "emissary", "vendor": "nationalsecurityagency"}], "analysis": {"en": {"generated_at": "2026-04-07T22:45:38.723348+00:00", "value": {"mitigation_remediation": ["Apply the official patch by upgrading Emissary to version 8.39.0 or later.", "If immediate upgrade is not feasible, carefully sanitise or remove any shell metacharacters from all PLACE_NAME configuration entries before restarting the service.", "Monitor configuration files and application logs for unauthorized changes or unexpected shell command execution."], "summary": {"action": "Immediate Patch", "impact": "Command Injection"}, "threat_synthesis": {"affected_systems": "The affected product is the Emissary workflow engine supplied by the National Security Agency. Versions of Emissary older than 8.39.0 are vulnerable. No other vendors or product lines are listed.", "description_and_impact": "The vulnerability arises when the Emissary Executrix utility concatenates configuration values, such as PLACE_NAME, directly into shell commands with only whitespace replaced by underscores. This allows shell metacharacters (for example ; | $ ` ( )) to reach /bin/sh -c, giving an attacker the ability to run arbitrary commands. The weakness is a classic command injection flaw under CWE-78. Such exploitation could compromise confidentiality, integrity, and availability of the host system by ensuring that arbitrary code runs with the permissions of the Emissary process.", "risk_and_exploitability": "The CVSS score of 7.2 indicates a high severity level. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. The likely attack vector is a maliciously crafted PLACE_NAME configuration entry, which an attacker can supply if they have the ability to modify configuration files or the management interface. This requires the attacker to have write access to Emissary configuration, after which arbitrary shell commands can be executed on the host. "}}}}, "created": "2026-04-08T19:37:02.185886+00:00", "updated": "2026-04-08T19:48:08.028774+00:00", "vendors": ["nationalsecurityagency", "nationalsecurityagency$PRODUCT$emissary"]}