Vulnerability-Lookup

GHSA-X939-7FQ5-V9V6

Vulnerability from github – Published: 2026-06-24 15:31 – Updated: 2026-06-24 15:31

Details

A Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator's REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the DownloadServlet and associated ContentSource implementations (LogViewerContentSource, LogFilesContentSource, LBConfigContentSource, ClientStubsContentSource) within the admingui:console-common module.

Severity

7.3 (High)


                  
                    CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:P/AU:Y/R:U/V:C/RE:M/U:Amber

Show details on source website

JSON

To clipboard

{
  "affected": [],
  "aliases": [
    "CVE-2026-12986"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-352"
    ],
    "github_reviewed": false,
    "github_reviewed_at": null,
    "nvd_published_at": "2026-06-24T15:16:39Z",
    "severity": "HIGH"
  },
  "details": "A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain.\n\nA Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator\u0027s REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the\u00a0DownloadServlet\u00a0and associated\u00a0ContentSource\u00a0implementations (LogViewerContentSource,\u00a0LogFilesContentSource,\u00a0LBConfigContentSource,\u00a0ClientStubsContentSource) within the\u00a0admingui:console-common\u00a0module.",
  "id": "GHSA-x939-7fq5-v9v6",
  "modified": "2026-06-24T15:31:48Z",
  "published": "2026-06-24T15:31:48Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-12986"
    },
    {
      "type": "WEB",
      "url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%207.2026.6.html"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:P/AU:Y/R:U/V:C/RE:M/U:Amber",
      "type": "CVSS_V4"
    }
  ]
}

CVE-2026-12986 (GCVE-0-2026-12986)

Vulnerability from cvelistv5 – Published: 2026-06-24 14:08 – Updated: 2026-06-24 14:52 X_Open Source

Summary

A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain. A Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator's REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the DownloadServlet and associated ContentSource implementations (LogViewerContentSource, LogFilesContentSource, LBConfigContentSource, ClientStubsContentSource) within the admingui:console-common module.

Severity

7.3 (High)


                        
                          CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:P/AU:Y/R:U/V:C/RE:M/U:Amber

SSVC

Exploitation: none Automatable: no Technical Impact: total

CISA Coordinator (v2.0.3)

CWE

CWE-352 - Cross-Site request forgery (CSRF)
CWE-918 - Server-Side request forgery (SSRF)

Assigner

Payara

References

1 reference

URL	Tags
https://docs.payara.fish/community/docs/Release%2…	release-notes

Impacted products

1 product

Vendor	Product	Version
Payara	Payara Server	Affected: 7.2025.1 , < 7.2026.6 (custom) Affected: 7.0.0 , < 7.1.0 (semver) Affected: 6.0.0 , < 6.39.0 (semver) Affected: 5.20.0 , < 5.88.0 (semver) Affected: 4.1.144 , < 4.1.2.191.56 (custom) Affected: 5.181 , ≤ 5.201.2 (custom) Affected: 5.2020.1 , ≤ 5.2022.5 (custom) Affected: 6.2023.1 , ≤ 6.2025.11 (custom)

Credits

sujaltuladhar1231@gmail.com

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "metrics": [
          {
            "other": {
              "content": {
                "id": "CVE-2026-12986",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "no"
                  },
                  {
                    "Technical Impact": "total"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-06-24T14:52:09.838012Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-06-24T14:52:26.473Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "affected",
          "modules": [
            "Admin GUI"
          ],
          "packageName": "org.glassfish.main.admingui:console-common",
          "platforms": [
            "Windows",
            "Linux",
            "MacOS"
          ],
          "product": "Payara Server",
          "repo": "https://github.com/payara/Payara/",
          "vendor": "Payara",
          "versions": [
            {
              "lessThan": "7.2026.6",
              "status": "affected",
              "version": "7.2025.1",
              "versionType": "custom"
            },
            {
              "lessThan": "7.1.0",
              "status": "affected",
              "version": "7.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "6.39.0",
              "status": "affected",
              "version": "6.0.0",
              "versionType": "semver"
            },
            {
              "lessThan": "5.88.0",
              "status": "affected",
              "version": "5.20.0",
              "versionType": "semver"
            },
            {
              "lessThan": "4.1.2.191.56",
              "status": "affected",
              "version": "4.1.144",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.201.2",
              "status": "affected",
              "version": "5.181",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "5.2022.5",
              "status": "affected",
              "version": "5.2020.1",
              "versionType": "custom"
            },
            {
              "lessThanOrEqual": "6.2025.11",
              "status": "affected",
              "version": "6.2023.1",
              "versionType": "custom"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "reporter",
          "value": "sujaltuladhar1231@gmail.com"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain.\u003cbr\u003e\u003cbr\u003eA Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator\u0027s REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the\u0026nbsp;\u003ccode\u003eDownloadServlet\u003c/code\u003e\u0026nbsp;and associated\u0026nbsp;\u003ccode\u003eContentSource\u003c/code\u003e\u0026nbsp;implementations (\u003ccode\u003eLogViewerContentSource\u003c/code\u003e,\u0026nbsp;\u003ccode\u003eLogFilesContentSource\u003c/code\u003e,\u0026nbsp;\u003ccode\u003eLBConfigContentSource\u003c/code\u003e,\u0026nbsp;\u003ccode\u003eClientStubsContentSource\u003c/code\u003e) within the\u0026nbsp;\u003ccode\u003eadmingui:console-common\u003c/code\u003e\u0026nbsp;module.\u003cbr\u003e\u003cdiv\u003e\u003cbr\u003e\u003c/div\u003e"
            }
          ],
          "value": "A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full unauthenticated takeover of Payara admin domain.\n\nA Server-Side Request Forgery (SSRF) vulnerability in the DownloadServlet of the Admin GUI in Payara Server allows a remote attacker to exfiltrate the administrator\u0027s REST session token (gfresttoken) to an attacker-controlled host via a crafted request URL. Combined with the absence of CSRF protection on DownloadServlet, an unauthenticated attacker can trick a logged-in administrator into triggering the token leak, then replay the stolen token to gain full administrative access to the Payara domain, leading to arbitrary code execution via WAR deployment. The vulnerability exists in the\u00a0DownloadServlet\u00a0and associated\u00a0ContentSource\u00a0implementations (LogViewerContentSource,\u00a0LogFilesContentSource,\u00a0LBConfigContentSource,\u00a0ClientStubsContentSource) within the\u00a0admingui:console-common\u00a0module."
        }
      ],
      "impacts": [
        {
          "capecId": "CAPEC-664",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-664 Server Side Request Forgery"
            }
          ]
        },
        {
          "capecId": "CAPEC-62",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-62 Cross Site Request Forgery"
            }
          ]
        },
        {
          "capecId": "CAPEC-60",
          "descriptions": [
            {
              "lang": "en",
              "value": "CAPEC-60 Reusing Session IDs (aka Session Replay)"
            }
          ]
        }
      ],
      "metrics": [
        {
          "cvssV4_0": {
            "Automatable": "YES",
            "Recovery": "USER",
            "Safety": "PRESENT",
            "attackComplexity": "LOW",
            "attackRequirements": "PRESENT",
            "attackVector": "ADJACENT",
            "baseScore": 7.3,
            "baseSeverity": "HIGH",
            "exploitMaturity": "PROOF_OF_CONCEPT",
            "privilegesRequired": "NONE",
            "providerUrgency": "AMBER",
            "subAvailabilityImpact": "HIGH",
            "subConfidentialityImpact": "HIGH",
            "subIntegrityImpact": "HIGH",
            "userInteraction": "ACTIVE",
            "valueDensity": "CONCENTRATED",
            "vectorString": "CVSS:4.0/AV:A/AC:L/AT:P/PR:N/UI:A/VC:H/VI:H/VA:H/SC:H/SI:H/SA:H/E:P/S:P/AU:Y/R:U/V:C/RE:M/U:Amber",
            "version": "4.0",
            "vulnAvailabilityImpact": "HIGH",
            "vulnConfidentialityImpact": "HIGH",
            "vulnIntegrityImpact": "HIGH",
            "vulnerabilityResponseEffort": "MODERATE"
          },
          "format": "CVSS",
          "scenarios": [
            {
              "lang": "en",
              "value": "GENERAL"
            }
          ]
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-352",
              "description": "CWE-352 Cross-Site request forgery (CSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side request forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-06-24T14:18:36.828Z",
        "orgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
        "shortName": "Payara"
      },
      "references": [
        {
          "tags": [
            "release-notes"
          ],
          "url": "https://docs.payara.fish/community/docs/Release%20Notes/Release%20Notes%207.2026.6.html"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "tags": [
        "x_open-source"
      ],
      "x_generator": {
        "engine": "Vulnogram 1.0.2"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "769c9ae7-73c3-4e47-ae19-903170fc3eb8",
    "assignerShortName": "Payara",
    "cveId": "CVE-2026-12986",
    "datePublished": "2026-06-24T14:08:02.332Z",
    "dateReserved": "2026-06-23T11:45:33.366Z",
    "dateUpdated": "2026-06-24T14:52:26.473Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2"
}

Sightings

Author	Source	Type	Date	Other

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

GHSA-X939-7FQ5-V9V6

CVE-2026-12986 (GCVE-0-2026-12986)

Tags

Sightings

Nomenclature