Skip to main content

Emissary CVE-2026-35583

| EUVDEUVD-2026-19732 MEDIUM
Path Traversal (CWE-22)
2026-04-07 GitHub_M GHSA-hxf2-gm22-7vcm
5.3
CVSS 3.1 · GitHub Advisory
Share

Severity by source

GitHub Advisory PRIMARY
5.3 MEDIUM
AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

Primary rating from GitHub Advisory · only source for this CVE.

CVSS VectorGitHub Advisory

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

4
Patch released
Apr 08, 2026 - 02:30 nvd
Patch available
EUVD ID Assigned
Apr 07, 2026 - 16:30 euvd
EUVD-2026-19732
Analysis Generated
Apr 07, 2026 - 16:30 vuln.today
CVE Published
Apr 07, 2026 - 15:57 nvd
MEDIUM 5.3

DescriptionGitHub Advisory

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. This vulnerability is fixed in 8.39.0.

AnalysisAI

Emissary versions prior to 8.39.0 allow unauthenticated remote attackers to read arbitrary configuration files through path traversal via the /api/configuration/{name} endpoint. The vulnerability stems from incomplete blacklist validation of configuration names that can be bypassed using URL-encoded variants, double-encoding, or Unicode normalization attacks. No public exploit code or active exploitation has been confirmed.

Technical ContextAI

Emissary is a P2P-based data-driven workflow engine developed by the National Security Agency. The vulnerability resides in the configuration API endpoint (/api/configuration/{name}), which implements a blacklist-based validation approach to prevent path traversal attacks. This blacklist checks for literal backslashes (\), forward slashes (/), parent directory references (..), and trailing dots (..). However, blacklist-based validation is inherently weak because it fails to account for alternative encodings and normalization techniques that represent the same path traversal sequences. Attackers can bypass this protection through URL encoding (e.g., %2e%2e%2f for ../), double-encoding (e.g., %252e%252e%252f), or Unicode normalization to convert blocked characters into functionally equivalent representations that the validation logic does not recognize. This is a classic instance of CWE-22 (Improper Limitation of a Pathname to a Restricted Directory), where the application fails to properly constrain file access to the intended directory boundary.

RemediationAI

Upgrade Emissary to version 8.39.0 or later, which includes a fix that replaces the insufficient blacklist validation with proper path traversal protection. The patch is confirmed released in version 8.39.0. Users unable to upgrade immediately should implement network-level access controls to restrict access to the /api/configuration/ endpoint to trusted internal networks only, or disable the configuration API endpoint if it is not required for production operations. For detailed remediation guidance and confirmation of patch availability, consult the official GitHub security advisory at https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm.

CVE-2021-32639 CRITICAL POC
9.9 Jul 02

Emissary is a P2P-based, data-driven workflow engine. Rated critical severity (CVSS 9.9), this vulnerability is remotely

CVE-2021-32647 CRITICAL POC
9.1 Jun 01

Emissary is a P2P based data-driven workflow engine. Rated critical severity (CVSS 9.1), this vulnerability is remotely

CVE-2021-32096 HIGH POC
8.8 May 07

The ConsoleAction component of U.S. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, no authe

CVE-2021-32093 MEDIUM POC
6.5 May 07

The ConfigFileAction component of U.S. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low

CVE-2021-32092 MEDIUM POC
6.1 May 07

A Cross-site scripting (XSS) vulnerability in the DocumentAction component of U.S. Rated medium severity (CVSS 6.1), thi

CVE-2021-32094 HIGH
8.8 May 07

U.S. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch

CVE-2021-32095 HIGH
8.1 May 07

U.S. Rated high severity (CVSS 8.1), this vulnerability is remotely exploitable, low attack complexity. No vendor patch

CVE-2026-35581 HIGH
7.2 Apr 07

Command injection in NSA Emissary P2P workflow engine (versions prior to 8.39.0) allows authenticated remote administrat

CVE-2021-32634 HIGH
7.2 May 21

Emissary is a distributed, peer-to-peer, data-driven workflow framework. Rated high severity (CVSS 7.2), this vulnerabil

CVE-2026-35571 MEDIUM
4.8 Apr 07

Stored cross-site scripting in Emissary prior to 8.39.0 allows authenticated administrators to inject malicious javascri

Share

CVE-2026-35583 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy