Staging Environment: Content and features may be unstable or change without notice.
Search for vulnerabilities
Vulnerability details: VCID-41ah-1nyc-aych
Vulnerability ID VCID-41ah-1nyc-aych
Aliases CVE-2026-35583
GHSA-hxf2-gm22-7vcm
Summary Emissary has a Path Traversal via Blacklist Bypass in Configuration API ## Summary The configuration API endpoint (`/api/configuration/{name}`) validated configuration names using a blacklist approach that checked for `\`, `/`, `..`, and trailing `.`. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. ## Details ### Vulnerable code — `Configs.java` (line 126) ```java protected static String validate(String config) { if (StringUtils.isBlank(config) || config.contains("\\") || config.contains("/") || config.contains("..") || config.endsWith(".")) { throw new IllegalArgumentException("Invalid config name: " + config); } return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING); } ``` ### Weakness The blacklist blocked literal `\`, `/`, `..`, and trailing `.` but could potentially miss: - URL-encoded variants (`%2e%2e%2f`) if decoded after validation - Double-encoded sequences (`%252e%252e%252f`) - Unicode normalization bypasses - The approach relies on string matching rather than canonical path resolution ### Impact - Potential read access to configuration files outside the intended config directory - Information disclosure of sensitive configuration values ## Remediation Fixed in [PR #1292](https://github.com/NationalSecurityAgency/emissary/pull/1292), merged into release 8.39.0. The blacklist was replaced with an allowlist regex that only permits characters matching `^[a-zA-Z0-9._-]+$`: ```java protected static final Pattern VALID_CONFIG_NAME = Pattern.compile("^[a-zA-Z0-9._-]+$"); protected static String validate(String config) { if (!VALID_CONFIG_NAME.matcher(config).matches() || config.contains("..") || config.endsWith(".")) { throw new IllegalArgumentException("Invalid config name: " + config); } return Strings.CS.appendIfMissing(config.trim(), CONFIG_FILE_ENDING); } ``` This ensures that any character outside the allowed set — including encoded slashes, percent signs, and Unicode sequences — is rejected before the config name reaches the filesystem. Tests were added to verify that URL-encoded (`%2e%2e%2f`), double-encoded (`%252e%252e%252f`), and Unicode (`U+002F`) traversal attempts are blocked. ## Workarounds If upgrading is not immediately possible, deploy a reverse proxy or WAF rule that rejects requests to `/api/configuration/` containing encoded path traversal sequences. ## References - [PR #1292 — validate config name with an allowlist](https://github.com/NationalSecurityAgency/emissary/pull/1292) - Original report: GHSA-wjqm-p579-x3ww
Status Published
Exploitability None
Weighted Severity None
Risk None
Affected and Fixed Packages Package Details
Weaknesses (1)
CWE-22 Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')
System Score Found at
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
epss 0.00038 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
epss 0.0005 https://api.first.org/data/v1/epss?cve=CVE-2026-35583
cvssv3.1_qr MODERATE https://github.com/advisories/GHSA-hxf2-gm22-7vcm
cvssv3.1 5.3 https://github.com/NationalSecurityAgency/emissary
generic_textual MODERATE https://github.com/NationalSecurityAgency/emissary
cvssv3.1 5.3 https://github.com/NationalSecurityAgency/emissary/pull/1292
generic_textual MODERATE https://github.com/NationalSecurityAgency/emissary/pull/1292
cvssv3.1 5.3 https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm
cvssv3.1_qr MODERATE https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm
generic_textual MODERATE https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm
ssvc Track https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm
cvssv3.1 5.3 https://nvd.nist.gov/vuln/detail/CVE-2026-35583
generic_textual MODERATE https://nvd.nist.gov/vuln/detail/CVE-2026-35583
Reference id Reference type URL
https://api.first.org/data/v1/epss?cve=CVE-2026-35583
https://github.com/NationalSecurityAgency/emissary
https://github.com/NationalSecurityAgency/emissary/pull/1292
https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm
https://nvd.nist.gov/vuln/detail/CVE-2026-35583
GHSA-hxf2-gm22-7vcm https://github.com/advisories/GHSA-hxf2-gm22-7vcm
No exploits are available.
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/NationalSecurityAgency/emissary
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/NationalSecurityAgency/emissary/pull/1292
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Vector: SSVCv2/E:N/A:Y/T:P/P:M/B:A/M:M/D:T/2026-04-09T16:12:26Z/ Found at https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm
Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N Found at https://nvd.nist.gov/vuln/detail/CVE-2026-35583
Attack Vector (AV) Attack Complexity (AC) Privileges Required (PR) User Interaction (UI) Scope (S) Confidentiality Impact (C) Integrity Impact (I) Availability Impact (A)

network

adjacent_network

local

physical

low

high

none

low

high

none

required

unchanged

changed

high

low

none

high

low

none

high

low

none
Exploit Prediction Scoring System (EPSS)
Percentile 0.11499
EPSS Score 0.00038
Published At April 8, 2026, 12:55 p.m.
Date Actor Action Source VulnerableCode Version
2026-04-08T12:46:20.021944+00:00 GithubOSV Importer Import https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-hxf2-gm22-7vcm/GHSA-hxf2-gm22-7vcm.json 38.1.0