Cyber Resilience

CVE-2026-35581

HighPublic PoCRCE

Published: 07 April 2026

Published
07 April 2026
Modified
16 April 2026
KEV Added
Patch
CVSS Score v3.1 7.2 CVSS:3.1/AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0013 31.9th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-35581 is a high-severity OS Command Injection (CWE-78) vulnerability in Nsa Emissary. Its CVSS base score is 7.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 31.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.

The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).

Deeper analysis

CVE-2026-35581 is a command injection vulnerability (CWE-78) affecting Emissary, a peer-to-peer (P2P) based data-driven workflow engine. In versions prior to 8.39.0, the Executrix utility class constructs shell commands by directly concatenating configuration-derived values, including the PLACE_NAME parameter, with inadequate sanitization. This process only replaces spaces with underscores, allowing shell metacharacters such as ;, |, $, `, (, and ) to pass through unmodified into /bin/sh -c command execution.

The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and the need for high privileges. Exploitation requires PR:H access, with no user interaction needed, and results in high impacts to confidentiality, integrity, and availability within the unchanged scope. An attacker with sufficient privileges could inject and execute arbitrary shell commands via specially crafted PLACE_NAME values, potentially leading to full system compromise.

The issue is addressed in Emissary version 8.39.0. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v.

EU & UK References

Vulnerability details

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters…

more

(;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1059.004 Unix Shell Execution
Adversaries may abuse Unix shell commands and scripts for execution.
Why these techniques?

Command injection vulnerability in network-accessible application directly enables exploitation of public-facing apps (T1190) and arbitrary Unix shell command execution (T1059.004).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-35582Same product: Nsa Emissary
CVE-2026-35580Same product: Nsa Emissary
CVE-2026-42454Shared CWE-78
CVE-2026-34796Shared CWE-78
CVE-2024-57016Shared CWE-78
CVE-2025-50475Shared CWE-78
CVE-2024-57015Shared CWE-78
CVE-2026-36828Shared CWE-78
CVE-2024-57595Shared CWE-78
CVE-2026-25196Shared CWE-78

Affected Assets

nsa
emissary
≤ 8.38.0

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Mandates validation of configuration-derived inputs like PLACE_NAME to block shell metacharacters before concatenation into /bin/sh -c commands.

prevent

Requires timely identification, reporting, and correction of the command injection flaw fixed in Emissary version 8.39.0.

prevent

Enforces restrictions on inputs such as PLACE_NAME to permit only safe characters, preventing injection of shell metacharacters like ;, |, and $.

References