Command Injection Issue in Emissary Workflow Engine by National Security Agency
CVE-2026-35581

7.2HIGH

Key Information:

Vendor: Nationalsecurityagency
Status: Emissary
Vendor: CVE Published:; 7 April 2026

🔔 Create Nationalsecurityagency Vulnerability Alert

What is CVE-2026-35581?

The Emissary workflow engine, designed for peer-to-peer data-driven processing, exhibits a command injection vulnerability due to the Executrix utility class improperly constructing shell commands. Prior to version 8.39.0, the implementation only sanitized spaces by replacing them with underscores, allowing various shell metacharacters to be exploited during command execution. This oversight could enable attackers to inject arbitrary commands, thus compromising the security of applications utilizing the Emissary engine. The issue has been resolved with the release of version 8.39.0, which introduces appropriate input sanitization measures.

Affected Version(s)

emissary < 8.39.0

References

https://github.com/NationalSecurityAgency/emissary/securi...

x_refsource_CONFIRM

CVSS V3.1

Score:

7.2

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

High

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Apr 3, 2026

CVE-2026-35581 Data

JSON