| Title | PowerJob 5.1.0/5.1.1/5.1.2 Code Injection |
|---|
| Description | A code injection vulnerability was found in PowerJob up to version 5.1.2. The OpenAPI endpoints are unauthenticated by default (oms.auth.openapi.enable defaults to false). An unauthenticated attacker can create a workflow with a DECISION node containing a malicious Groovy script via /openApi/addWorkflowNode, then trigger execution via /openApi/runWorkflow. The Groovy script is executed by GroovyEvaluator.evaluate() on the server JVM without any sandbox, leading to pre-authentication Remote Code Execution (RCE). The manipulation leads to code injection via the nodeParams parameter. The attack can be initiated remotely without authentication. |
|---|
| Source | ⚠️ https://github.com/PowerJob/PowerJob/issues/1168 |
|---|
| User | anch0r (UID 96691) |
|---|
| Submission | 03/24/2026 09:21 (15 days ago) |
|---|
| Moderation | 04/07/2026 15:38 (14 days later) |
|---|
| Status | Accepted |
|---|
| VulDB entry | 355747 [PowerJob 5.1.0/5.1.1/5.1.2 OpenAPI Endpoint /openApi/addWorkflowNode GroovyEvaluator.evaluate nodeParams code injection] |
|---|
| Points | 20 |
|---|