Skip to main content

Payara Server EUVDEUVD-2026-38793

| CVE-2026-12986 HIGH
Cross-Site Request Forgery (CSRF) (CWE-352)
2026-06-24 Payara GHSA-x939-7fq5-v9v6
7.3
CVSS 4.0 · Vendor: Payara
Share

Severity by source

Vendor (Payara) PRIMARY
7.3 HIGH
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Amber
vuln.today AI
8.3 HIGH

Browser-delivered CSRF/SSRF is network-reachable (AV:N); needs a logged-in admin victim to be tricked, so UI:R and AC:H; PR:N as the attacker is unauthenticated; stolen token enabling REST RCE changes scope (S:C) with full C/I/A impact.

3.1 AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H

Primary rating from Vendor (Payara).

CVSS VectorVendor: Payara

CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Amber
Attack Vector
Adjacent
Attack Complexity
Low
Privileges Required
None
User Interaction
A
Scope
P

Lifecycle Timeline

2
Patch available
Jun 24, 2026 - 16:01 EUVD
Analysis Generated
Jun 24, 2026 - 14:51 vuln.today

DescriptionCVE.org

A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain.

A Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator's REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the DownloadServlet and associated ContentSource implementations (LogViewerContentSource, LogFilesContentSource, LBConfigContentSource, ClientStubsContentSource) within the admingui:console-common module.

AnalysisAI

Full unauthenticated administrative takeover of Payara Server Full (4.x through 7.2026.x, including 6.2024.x and 6.2025.x) is achievable by chaining a Server-Side Request Forgery in the Admin GUI's DownloadServlet with the absence of CSRF protection (CWE-352). An attacker who lures a logged-in administrator into a crafted request exfiltrates the admin REST session token (gfresttoken) to an attacker-controlled host, then replays it for full domain control and arbitrary code execution via WAR deployment. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Lure logged-in admin to crafted link
Delivery
Forge request to unprotected DownloadServlet
Exploit
SSRF leaks gfresttoken to attacker host
Execution
Replay stolen token on admin REST API
Persist
Deploy malicious WAR
Impact
Execute code, full domain takeover

Vulnerability AssessmentAI

Exploitation Exploitation requires that a victim administrator currently holds an authenticated Payara Admin GUI session (a valid gfresttoken) AND is induced to trigger an attacker-crafted request to the DownloadServlet - the CVSS vector confirms PR:N (no attacker authentication) but UI:A and AT:P (active user interaction plus an attack requirement, namely the existing admin session). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 4.0 base score is 7.3 (High) with vector AV:A/AC:L/AT:P/PR:N/UI:A and threat metric E:P, indicating no attacker privileges but mandatory active user interaction (a logged-in admin must trigger the request) plus an attack requirement (a valid admin session must exist). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker hosts a malicious page or sends an administrator a link; while that admin holds an active Payara Admin GUI session, visiting the page triggers a forged request to the vulnerable DownloadServlet that forwards the admin's gfresttoken to the attacker's server. The attacker replays the captured token against the Payara REST management interface to deploy a malicious WAR, achieving arbitrary code execution on the server; a proof-of-concept is indicated by the CVSS E:P maturity flag.
Remediation Vendor-released patch: Payara Server 7.2026.6 (per the Payara Community Release Notes at https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%207.2026.6.html); upgrade to the patched build for your branch and verify backported fixes for the 6.2024.x, 6.2025.x, 5.x, and 4.x lines directly with Payara, since several of those branches are older or may be end-of-support. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

24 hours: Identify all Payara Server Full instances running versions 4.x-7.2026.x; restrict network access to Admin GUI (default port 4848) to administrative networks only; enable detailed logging. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-38793 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy