PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-42785 Openkm CVE debrief

CVE-2026-42785 is a high-severity remote code execution vulnerability in OpenKM 6.3.12, published on 2026-05-26. The vulnerability allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint by submitting malicious script content with an action=Evaluate parameter, resulting in operating system command execution in the context of the OpenKM application server. The CVSS 4.0 vector indicates network attack vector, low attack complexity, no attack requirements, high privileges required, no user interaction, and high impacts to confidentiality, integrity, and availability. The vulnerability is classified as CWE-94 (Improper Control of Generation of Code). Multiple source references provide technical details, including a Terra System Labs disclosure, Exploit-DB entry, and Nuclei detection templates. The NVD status is currently 'Deferred'. No known exploitation in ransomware campaigns has been documented, and the vulnerability is not listed in CISA KEV.

Vendor
Openkm
Product
OpenKM Community Edition
CVSS
HIGH 8.6
CISA KEV
Not listed in stored evidence
Original CVE published
2026-05-26
Original CVE updated
2026-05-26
Advisory published
2026-05-26
Advisory updated
2026-05-26

Who should care

Organizations running OpenKM 6.3.12 document management systems, particularly those with externally exposed administrative interfaces. Security teams responsible for content management system security, application security engineers, and incident response teams monitoring for authenticated RCE in Java-based enterprise applications.

Technical summary

OpenKM 6.3.12 exposes a BeanShell scripting interface at /admin/Scripting that accepts arbitrary Java code execution via action=Evaluate parameter. Authenticated administrators can submit malicious scripts to execute operating system commands with application server privileges. The vulnerability requires high privileges but no user interaction, with network-accessible attack vector and low attack complexity.

Defensive priority

HIGH

Recommended defensive actions

  • Restrict access to /admin/Scripting endpoint to trusted administrative hosts only
  • Implement network segmentation to limit OpenKM administrative interface exposure
  • Monitor for suspicious BeanShell script execution in application logs
  • Apply principle of least privilege for OpenKM administrative accounts
  • Review and audit administrative script execution history for unauthorized activity
  • Consider disabling scripting functionality if not required for business operations
  • Deploy web application firewall rules to detect and block malicious script submission patterns

Evidence notes

Vulnerability disclosed by Terra System Labs with technical writeup, proof-of-concept code, and Nuclei detection templates published. NVD record exists but status is 'Deferred'. Vendor website and Docker Hub references confirm OpenKM as the affected product. CVSS 4.0 scoring applied with high privileges required (PR:H) limiting attack surface to authenticated administrators.

Official resources

2026-05-26