5.1.2 Code Injectioninfo

Titel	PowerJob 5.1.0/5.1.1/5.1.2 Code Injection
Beschreibung	A code injection vulnerability was found in PowerJob up to version 5.1.2. The OpenAPI endpoints are unauthenticated by default (oms.auth.openapi.enable defaults to false). An unauthenticated attacker can create a workflow with a DECISION node containing a malicious Groovy script via /openApi/addWorkflowNode, then trigger execution via /openApi/runWorkflow. The Groovy script is executed by GroovyEvaluator.evaluate() on the server JVM without any sandbox, leading to pre-authentication Remote Code Execution (RCE). The manipulation leads to code injection via the nodeParams parameter. The attack can be initiated remotely without authentication.
Quelle	⚠️ https://github.com/PowerJob/PowerJob/issues/1168
Benutzer	anch0r (UID 96691)
Einreichung	24.03.2026 09:21 (vor 22 Tagen)
Moderieren	07.04.2026 15:38 (14 days later)
Status	Akzeptiert
VulDB Eintrag	355747 [PowerJob 5.1.0/5.1.1/5.1.2 OpenAPI Endpoint /openApi/addWorkflowNode GroovyEvaluator.evaluate nodeParams erweiterte Rechte]
Punkte	20

Are you interested in using VulDB?

Download the whitepaper to learn more about our service!