CVE-2026-42785
Description
OpenKM 6.3.12 contains a remote code execution vulnerability that allows authenticated administrators to execute arbitrary Java/BeanShell code through the /admin/Scripting endpoint. Attackers can submit malicious script content with an action=Evaluate parameter to execute operating system commands in the context of the OpenKM application server.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Authenticated administrators can execute arbitrary code on OpenKM 6.3.12 via the /admin/Scripting endpoint, leading to full server compromise.
Vulnerability
OpenKM Community Edition 6.3.12 (and Pro Edition 7.1.47 and earlier) contains a remote code execution vulnerability in the administrative scripting interface at /admin/Scripting. An authenticated administrator can submit malicious script content with an action=Evaluate parameter to execute arbitrary Java/BeanShell code on the application server [1][3]. The vulnerability exists because the endpoint does not restrict the scripting language or commands that can be executed.
Exploitation
An attacker must have valid administrative credentials to access the /admin/Scripting endpoint. No additional user interaction is required. The attacker sends a POST request with the script content (e.g., Java/BeanShell code that invokes Runtime.exec()) and the action=Evaluate parameter. The exploit code provided in [1] demonstrates a full working proof-of-concept that executes operating system commands. The attack can be performed from any network position that can reach the OpenKM web interface.
Impact
Successful exploitation allows the attacker to execute arbitrary operating system commands in the context of the OpenKM application server. This can lead to full compromise of the server, including access to stored documents, database manipulation, and lateral movement within the network. The vulnerability is classified as critical because it enables complete system takeover by a single authenticated administrator [3].
Mitigation
At the time of publication, no official vendor patch is available for this vulnerability [3]. The vendor's website [4] does not mention a fix. Organizations should restrict access to the /admin/Scripting endpoint to trusted administrators only, implement network segmentation, and monitor for suspicious activity. The vulnerability is not listed in CISA's Known Exploited Vulnerabilities catalog as of the publication date. Users should consider disabling the scripting endpoint if not required, or apply virtual patching via a web application firewall.
AI Insight generated on May 26, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected products
2Patches
0No patches discovered yet.
Vulnerability mechanics
Root cause
"The administrative scripting engine executes user-supplied BeanShell code in the application runtime context without sandboxing, command filtering, or execution constraints [ref_id=2]."
Attack vector
An attacker must first authenticate as an administrator (e.g., using default credentials `okmAdmin`/`admin` or compromised credentials) [ref_id=1]. Once authenticated, the attacker navigates to the Scripting page under Administration and submits malicious BeanShell code in the textarea with the `action=Evaluate` parameter [ref_id=1]. The server executes the submitted Java/BeanShell code without sandboxing, allowing the attacker to invoke `Runtime.getRuntime().exec()` to run arbitrary OS commands such as `whoami` [ref_id=1][ref_id=2]. The attack is network-based, requires no user interaction, and achieves full server compromise [ref_id=2].
Affected code
The vulnerability resides in the administrative scripting interface at `/OpenKM/admin/Scripting` [ref_id=1]. The affected code evaluates user-supplied BeanShell script content submitted with an `action=Evaluate` parameter, executing it directly in the application runtime context without sandboxing or command filtering [ref_id=2].
What the fix does
The advisory states that at the time of publication, no official vendor patch was available for this vulnerability [ref_id=1][ref_id=2]. The recommended remediation is to apply compensating controls immediately, such as restricting access to the `/admin/Scripting` endpoint via network segmentation, web application firewall rules, or removing the scripting interface entirely from production deployments [ref_id=1]. Organizations should also monitor vendor advisories for future patches [ref_id=1].
Preconditions
- authAttacker must have valid administrative credentials (e.g., default okmAdmin/admin or compromised admin account)
- networkThe /admin/Scripting endpoint must be network-accessible
- configNo authentication bypass needed — the feature is intentionally available to authenticated admins
Reproduction
1. Log in to OpenKM with administrative credentials (e.g., `okmAdmin`/`admin`). 2. Navigate to Administration → Scripting. 3. Enter BeanShell code such as: `import java.io.*; try { Process p = Runtime.getRuntime().exec("whoami"); BufferedReader r = new BufferedReader(new InputStreamReader(p.getInputStream())); print("Current User: " + r.readLine()); } catch (Exception e) { print(e.getMessage()); }` 4. Click Evaluate to execute the script [ref_id=1].
Generated on May 26, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploitsnvd
- github.com/terrasystemlabs/Exploits/tree/main/OpenKM-Exploits/nuclei-templates/openkm-remote-code-executionnvd
- hub.docker.com/r/openkm/openkm-cenvd
- terrasystemlabs.com/postnvd
- www.exploit-db.com/exploits/52520nvd
- www.openkm.comnvd
- www.vulncheck.com/advisories/openkm-remote-code-execution-via-administrative-scriptingnvd
News mentions
0No linked articles in our index yet.