CVE-2026-35581
Published: 07 April 2026
Summary
CVE-2026-35581 is a high-severity OS Command Injection (CWE-78) vulnerability in Nsa Emissary. Its CVSS base score is 7.2 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 26.2th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog; a public proof-of-concept is referenced.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Mandates validation of configuration-derived inputs like PLACE_NAME to block shell metacharacters before concatenation into /bin/sh -c commands.
Requires timely identification, reporting, and correction of the command injection flaw fixed in Emissary version 8.39.0.
Enforces restrictions on inputs such as PLACE_NAME to permit only safe characters, preventing injection of shell metacharacters like ;, |, and $.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Command injection vulnerability in network-accessible application directly enables exploitation of public-facing apps (T1190) and arbitrary Unix shell command execution (T1059.004).
NVD Description
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the Executrix utility class constructed shell commands by concatenating configuration-derived values — including the PLACE_NAME parameter — with insufficient sanitization. Only spaces were replaced with underscores, allowing shell metacharacters…
more
(;, |, $, `, (, ), etc.) to pass through into /bin/sh -c command execution. This vulnerability is fixed in 8.39.0.
Deeper analysisAI
CVE-2026-35581 is a command injection vulnerability (CWE-78) affecting Emissary, a peer-to-peer (P2P) based data-driven workflow engine. In versions prior to 8.39.0, the Executrix utility class constructs shell commands by directly concatenating configuration-derived values, including the PLACE_NAME parameter, with inadequate sanitization. This process only replaces spaces with underscores, allowing shell metacharacters such as ;, |, $, `, (, and ) to pass through unmodified into /bin/sh -c command execution.
The vulnerability carries a CVSS v3.1 base score of 7.2 (AV:N/AC:L/PR:H/UI:N/S:U/C:H/I:H/A:H), indicating network accessibility, low attack complexity, and the need for high privileges. Exploitation requires PR:H access, with no user interaction needed, and results in high impacts to confidentiality, integrity, and availability within the unchanged scope. An attacker with sufficient privileges could inject and execute arbitrary shell commands via specially crafted PLACE_NAME values, potentially leading to full system compromise.
The issue is addressed in Emissary version 8.39.0. Additional mitigation guidance is available in the GitHub security advisory at https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-6c37-7w4p-jg9v.
Details
- CWE(s)