{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-35583", "assignerOrgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "state": "PUBLISHED", "assignerShortName": "GitHub_M", "dateReserved": "2026-04-03T20:09:02.827Z", "datePublished": "2026-04-07T15:57:41.496Z", "dateUpdated": "2026-04-07T15:57:41.496Z"}, "containers": {"cna": {"title": "Emissary has a Path Traversal via Blacklist Bypass in Configuration API", "problemTypes": [{"descriptions": [{"cweId": "CWE-22", "lang": "en", "description": "CWE-22: Improper Limitation of a Pathname to a Restricted Directory ('Path Traversal')", "type": "CWE"}]}], "metrics": [{"cvssV3_1": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}}], "references": [{"name": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm", "tags": ["x_refsource_CONFIRM"], "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm"}], "affected": [{"vendor": "NationalSecurityAgency", "product": "emissary", "versions": [{"version": "< 8.39.0", "status": "affected"}]}], "providerMetadata": {"orgId": "a0819718-46f1-4df5-94e2-005712e83aaa", "shortName": "GitHub_M", "dateUpdated": "2026-04-07T15:57:41.496Z"}, "descriptions": [{"lang": "en", "value": "Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \\, /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. This vulnerability is fixed in 8.39.0."}], "source": {"advisory": "GHSA-hxf2-gm22-7vcm", "discovery": "UNKNOWN"}}}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \\, /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. This vulnerability is fixed in 8.39.0."}], "id": "CVE-2026-35583", "lastModified": "2026-04-08T21:27:00.663", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "NONE", "baseScore": 5.3, "baseSeverity": "MEDIUM", "confidentialityImpact": "LOW", "integrityImpact": "NONE", "privilegesRequired": "NONE", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N", "version": "3.1"}, "exploitabilityScore": 3.9, "impactScore": 1.4, "source": "security-advisories@github.com", "type": "Secondary"}]}, "published": "2026-04-07T17:16:33.663", "references": [{"source": "security-advisories@github.com", "url": "https://github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcm"}], "sourceIdentifier": "security-advisories@github.com", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-22"}], "source": "security-advisories@github.com", "type": "Primary"}]}

{}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[0,8.39.0)"}}], "enrichment": {"confidence": 100.0, "confidence_source": "cna", "scores": [{"score": 100.0, "source": "cna"}]}, "original": {"product": "emissary", "source": "cna", "vendor": "NationalSecurityAgency"}, "product": "emissary", "vendor": "nationalsecurityagency"}], "analysis": {"en": {"generated_at": "2026-04-08T00:22:46.584914+00:00", "value": {"mitigation_remediation": ["Upgrade Emissary to version 8.39.0 or later", "Restrict access to the configuration API so that only trusted administrators or internal services can reach it, enforcing authentication and network segmentation", "Check for vendor updates and apply them promptly"], "summary": {"action": "Apply Patch", "impact": "Information disclosure via path traversal"}, "threat_synthesis": {"affected_systems": "The vulnerability affects National Security Agency Emissary versions earlier than 8.39.0. Any installation that has not been updated to 8.39.0 or later exposes the /api/configuration/{name} endpoint to this risk.", "description_and_impact": "An endpoint in Emissary\u2019s configuration API (/api/configuration/{name}) validated the configuration name using a blacklist that blocked characters such as backslashes, forward slashes, and double periods. Because the blacklist could be bypassed by using URL\u2011encoded, double\u2011encoded, or Unicode\u2011normalized strings, an attacker could supply a crafted name that resolves to a file outside the intended configuration directory, allowing them to read arbitrary configuration files and thereby compromising confidentiality.", "risk_and_exploitability": "The CVSS score of 5.3 indicates a moderate severity level, and according to the data there is no EPSS score or KEV listing. Based on the description, it is inferred that the attack requires an attacker to send an HTTP request to the vulnerable endpoint. If the endpoint is reachable by untrusted users or publicly exposed, the attacker could then execute a path traversal and read configuration files, resulting in moderate risk due to potential confidentiality damage."}}}}, "created": "2026-04-08T19:37:01.145370+00:00", "updated": "2026-04-08T19:48:06.952932+00:00", "vendors": ["nationalsecurityagency", "nationalsecurityagency$PRODUCT$emissary"]}