CVE-2026-35583
published 2026-04-07CVE-2026-35583: Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names…
PriorityP335medium5.3CVSS 3.1
AVNACLPRNUINSUCLINAN
EPSS
0.32%
23.8th percentile
Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. This vulnerability is fixed in 8.39.0.
Affected
2 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| nationalsecurityagency | emissary | < 8.39.0 | 8.39.0 |
| nsa | emissary | <= 8.38.0 | — |
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
Emissary has a Path Traversal via Blacklist Bypass in Configuration API
ghsa·2026-04-08
CVE-2026-35583 [MEDIUM] CWE-22 Emissary has a Path Traversal via Blacklist Bypass in Configuration API
Emissary has a Path Traversal via Blacklist Bypass in Configuration API
## Summary
The configuration API endpoint (`/api/configuration/{name}`) validated
configuration names using a blacklist approach that checked for `\`, `/`, `..`,
and trailing `.`. This could potentially be bypassed using URL-encoded variants,
double-encoding, or Unicode normalization to achieve path traversal and read
configuration files outside the intended directory.
## Details
### Vulnerable code — `Configs.java` (line 126)
```java
protected static String validate(String config) {
if (StringUtils.isBlank(config) || config.contains("\\") || config.contains("/")
|| config.contains("..") || config.endsWith(".")) {
throw new IllegalArgumentException("Invalid config name: " + config);
}
return Strings.CS.appendIfMis
OSV
Emissary has a Path Traversal via Blacklist Bypass in Configuration API
osv·2026-04-08
CVE-2026-35583 [MEDIUM] Emissary has a Path Traversal via Blacklist Bypass in Configuration API
Emissary has a Path Traversal via Blacklist Bypass in Configuration API
## Summary
The configuration API endpoint (`/api/configuration/{name}`) validated
configuration names using a blacklist approach that checked for `\`, `/`, `..`,
and trailing `.`. This could potentially be bypassed using URL-encoded variants,
double-encoding, or Unicode normalization to achieve path traversal and read
configuration files outside the intended directory.
## Details
### Vulnerable code — `Configs.java` (line 126)
```java
protected static String validate(String config) {
if (StringUtils.isBlank(config) || config.contains("\\") || config.contains("/")
|| config.contains("..") || config.endsWith(".")) {
throw new IllegalArgumentException("Invalid config name: " + config);
}
return Strings.CS.appendIfMis
No detection rules found.
No public exploits indexed.
2026-04-07
Published