CSRF in Payara Server
CVE-2026-12986
A critical vulnerability in Admin GUI in Payara Server Full 4.x, 5.x, 6.x, 7.x, 7.2026.x, 6.2025.x, 6.2024.x on All platforms that allows the attacker to leak the admin gfresttoken to an attacker-controlled host that can result in a full u…
Vulnerability class: CSRF (Cross-Site Request Forgery)
Affected products
- Payara Server — versions 7.2025.1, 7.0.0, 6.0.0
Weakness classification (CWE)
References
- 769c9ae7-73c3-4e47-ae19-903170fc3eb8 (release-notes)