Severity by source
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Amber
Browser-delivered CSRF/SSRF is network-reachable (AV:N); needs a logged-in admin victim to be tricked, so UI:R and AC:H; PR:N as the attacker is unauthenticated; stolen token enabling REST RCE changes scope (S:C) with full C/I/A impact.
Primary rating from Vendor (Payara).
CVSS VectorVendor: Payara
CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Amber
Lifecycle Timeline
2DescriptionCVE.org
A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain.
A Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator's REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the DownloadServlet and associated ContentSource implementations (LogViewerContentSource, LogFilesContentSource, LBConfigContentSource, ClientStubsContentSource) within the admingui:console-common module.
AnalysisAI
Full unauthenticated administrative takeover of Payara Server Full (4.x through 7.2026.x, including 6.2024.x and 6.2025.x) is achievable by chaining a Server-Side Request Forgery in the Admin GUI's DownloadServlet with the absence of CSRF protection (CWE-352). An attacker who lures a logged-in administrator into a crafted request exfiltrates the admin REST session token (gfresttoken) to an attacker-controlled host, then replays it for full domain control and arbitrary code execution via WAR deployment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires that a victim administrator currently holds an authenticated Payara Admin GUI session (a valid gfresttoken) AND is induced to trigger an attacker-crafted request to the DownloadServlet - the CVSS vector confirms PR:N (no attacker authentication) but UI:A and AT:P (active user interaction plus an attack requirement, namely the existing admin session). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The vendor CVSS 4.0 base score is 7.3 (High) with vector AV:A/AC:L/AT:P/PR:N/UI:A and threat metric E:P, indicating no attacker privileges but mandatory active user interaction (a logged-in admin must trigger the request) plus an attack requirement (a valid admin session must exist). … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker hosts a malicious page or sends an administrator a link; while that admin holds an active Payara Admin GUI session, visiting the page triggers a forged request to the vulnerable DownloadServlet that forwards the admin's gfresttoken to the attacker's server. The attacker replays the captured token against the Payara REST management interface to deploy a malicious WAR, achieving arbitrary code execution on the server; a proof-of-concept is indicated by the CVSS E:P maturity flag. |
| Remediation | Vendor-released patch: Payara Server 7.2026.6 (per the Payara Community Release Notes at https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%207.2026.6.html); upgrade to the patched build for your branch and verify backported fixes for the 6.2024.x, 6.2025.x, 5.x, and 4.x lines directly with Payara, since several of those branches are older or may be end-of-support. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
24 hours: Identify all Payara Server Full instances running versions 4.x-7.2026.x; restrict network access to Admin GUI (default port 4848) to administrative networks only; enable detailed logging. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
More in Payara Server
View allSame weakness CWE-352 – Cross-Site Request Forgery (CSRF)
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-38793
GHSA-x939-7fq5-v9v6