CVE-2026-2586: Authenticated RCE in GlassFish Admin Console

Executive Summary

An authenticated remote code execution vulnerability in the Eclipse GlassFish Administration Console, tracked as CVE-2026-2586 with a CVSS score of 9.1 (Critical), allows attackers with valid panel credentials to execute arbitrary operating system commands with the privileges of the application service user. The flaw resides in how the admin console processes crafted HTTP requests — a user who can reach the administrative interface can send specially formed payloads that bypass input validation and invoke system commands directly. No patch or mitigation guidance has been released by the Eclipse Foundation as of May 20, 2026. Defenders running GlassFish in production should treat the admin console as a privileged attack surface and restrict access to trusted networks and users immediately.

Technical Analysis

According to the vulnerability disclosure tracked by the Eclipse Foundation's security working group (issue #87 on GitLab), CVE-2026-2586 is an authenticated command injection flaw in the GlassFish Administration Console. The console, typically exposed on TCP port 4848 by default, accepts administrative operations via HTTP requests. An attacker who has authenticated — either through default credentials, stolen session tokens, or compromised accounts — can craft requests that inject operating system commands into parameters that the console subsequently passes to a shell execution context.

The CVSS 9.1 rating reflects the low attack complexity (no special conditions required beyond authentication), the high impact on confidentiality, integrity, and availability, and the fact that the vulnerability can be exploited over the network. The scope is unchanged, meaning the compromised component is the same as the vulnerable component — the application service user context. The exact parameter or endpoint that accepts the injection has not been publicly detailed by the Eclipse security team as of this writing, which is consistent with responsible disclosure practice before a patch is available.

GlassFish is an open-source Jakarta EE application server widely used in enterprise environments, particularly in legacy or migration-path deployments. The administration console is often left enabled for operational convenience, and in many configurations it is accessible from internal corporate networks without additional authentication layers beyond the built-in credential check. The authenticated nature of the exploit means that credential theft, brute-force attacks, or insider threats are the primary vectors; however, default credentials (admin/admin) remain a known issue in unhardened installations.

Mitigations & Recommendations

Until the Eclipse Foundation releases a security patch, defenders should treat the GlassFish Administration Console as a critical risk surface. The most effective mitigation is to restrict network access to the console interface — bind it to localhost (127.0.0.1) or place it behind a VPN or bastion host that enforces multi-factor authentication. If the console cannot be firewalled, disable it entirely by removing or renaming the admin console web application within the GlassFish deployment, or by setting the asadmin command-line interface as the sole administrative channel.

Organizations should audit all accounts that have administrative access to GlassFish instances, rotate credentials, and enable logging of all admin console requests. Monitor for anomalous command execution patterns in system logs — particularly invocations of shell interpreters (cmd.exe, /bin/sh, /bin/bash) from the GlassFish service account. In environments where GlassFish is exposed to the internet, immediate remediation should be prioritized, as authenticated RCE flaws in administrative interfaces are frequently targeted by ransomware and initial-access brokers.