PatchSiren cyber security CVE debrief
CVE-2026-2586 Eclipse Foundation CVE debrief
CVE-2026-2586 is a critical authenticated remote code execution issue in GlassFish’s Administration Console. The supplied record says a user with access to the panel can send crafted requests that lead to arbitrary operating system command execution under the privileges of the application service user. Because exploitation requires high privileges but no user interaction, and the impact spans confidentiality, integrity, and availability, this should be treated as an urgent administrative-console exposure risk.
- Vendor
- Eclipse Foundation
- Product
- Eclipse Glassfish
- CVSS
- CRITICAL 9.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-19
- Original CVE updated
- 2026-05-21
- Advisory published
- 2026-05-19
- Advisory updated
- 2026-05-21
Who should care
GlassFish administrators, platform and SRE teams, security operations, and any organization that exposes the Administration Console or delegates console access to operators or integrators.
Technical summary
The CVE description reports authenticated RCE in the GlassFish Administration Console via crafted requests. The NVD vector is CVSS 3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H, indicating network reachability, low attack complexity, high privileges required, no user interaction, changed scope, and high impact across CIA. The listed weakness classes are CWE-94 and CWE-917. The practical risk is that a compromised or over-privileged console account could be used to execute operating system commands as the application service account.
Defensive priority
Critical — prioritize immediate review of any exposed GlassFish Administration Console instances and restrict administrative access until vendor remediation guidance is available and applied.
Recommended defensive actions
- Identify every GlassFish deployment and confirm whether the Administration Console is enabled and reachable from any untrusted network.
- Restrict console access to tightly controlled administrative networks or VPN paths, and remove any unnecessary user access.
- Apply vendor or project remediation as soon as it is published; monitor the official CVE/NVD record and the Eclipse assignment issue for updates.
- Review console authentication and authorization paths for over-privileged accounts and disable stale or shared administrator credentials.
- Audit the service account running GlassFish and reduce its operating-system privileges to the minimum required for operation.
- Check logs for unusual Administration Console requests, unexpected process creation, or command execution activity around the CVE publication date.
- If compromise is suspected, isolate the host, rotate affected credentials, and perform a focused review of system and application logs.
Evidence notes
The supplied corpus states: 'An authenticated Remote Code Execution (RCE) vulnerability was identified in GlassFish's Administration Console' and that a user with panel access can execute arbitrary OS commands with the application service user’s privileges. The NVD metadata provides CVSS 3.1 AV:N/AC:L/PR:H/UI:N/S:C/C:H/I:H/A:H and weaknesses CWE-94 and CWE-917. The NVD status in the snapshot is 'Undergoing Analysis.' The corpus also includes an Eclipse CVE assignment issue as a reference, but the vendor/product attribution is not fully resolved in the supplied data.
Official resources
-
CVE-2026-2586 CVE record
CVE.org
-
CVE-2026-2586 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Issue Tracking, Third Party Advisory, Exploit
CVE published on 2026-05-19 and modified later the same day in the supplied record. The NVD snapshot provided with the corpus was still marked 'Undergoing Analysis' at that time. Vendor attribution is low-confidence in the supplied data, so