OS Command Injection Vulnerability in Emissary Workflow Engine
CVE-2026-35582
What is CVE-2026-35582?
Emissary, a data-driven workflow engine, has a vulnerability in the Executrix.getCommand() function prior to version 8.43.0. This flaw enables an attacker to perform OS command injection due to improper handling of temporary file paths. Specifically, the configuration keys IN_FILE_ENDING and OUT_FILE_ENDING are directly integrated into a /bin/sh -c shell command without adequate validation or escaping. As a result, a local place author able to modify a .cfg file can inject arbitrary shell metacharacters, potentially executing arbitrary OS commands within the context of the Java Virtual Machine (JVM). Although the framework attempts to sanitize placeName inputs through an allowlist, it lacks equivalent protections for file endings, significantly increasing the risk of exploitation. This vulnerability does not require additional privileges beyond writing permissions for configuration authors and poses inherent challenges for those implementing the framework, as no safe mitigation or documented preconditions exist to prevent such injection attacks. The issue has been resolved in version 8.43.0.
Affected Version(s)
emissary < 8.43.0