Medium severity5.3NVD Advisory· Published Apr 7, 2026· Updated Apr 16, 2026

CVE-2026-35583

Description

Emissary is a P2P based data-driven workflow engine. Prior to 8.39.0, the configuration API endpoint (/api/configuration/{name}) validated configuration names using a blacklist approach that checked for \, /, .., and trailing .. This could potentially be bypassed using URL-encoded variants, double-encoding, or Unicode normalization to achieve path traversal and read configuration files outside the intended directory. This vulnerability is fixed in 8.39.0.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
gov.nsa.emissary:emissaryMaven	< 8.39.0	8.39.0

Affected products

Nsa/Emissary
cpe:2.3:a:nsa:emissary:*:*:*:*:*:*:*:*
Range: <=8.38.0

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

github.com/NationalSecurityAgency/emissary/security/advisories/GHSA-hxf2-gm22-7vcmnvdExploitVendor AdvisoryWEB
github.com/advisories/GHSA-hxf2-gm22-7vcmghsaADVISORY
nvd.nist.gov/vuln/detail/CVE-2026-35583ghsaADVISORY
github.com/NationalSecurityAgency/emissary/pull/1292ghsaWEB

News mentions

Chinese APT Abuses Multiple Cloud Tools to Spy on Mongolia
Dark Reading · Apr 24, 2026

cvss	0.345
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000