MEDIUM 6.3

CVE-2026-11408: OS Command Injection in vertex-app Log Viewer Endpoint

A remote code execution vulnerability exists in vertex-app versions up to 2026.02.12, where attackers with user-level access can inject arbitrary operating system commands through the Log Viewer endpoint. The flaw resides in how the application processes user-supplied query parameters without adequate sanitization, allowing an authenticated attacker to execute commands on the underlying server. Public exploit code is available, elevating practical risk despite the moderate CVSS score.

Source data · NVD / CISA · public domain

CVSS
3.1 · 6.3 MEDIUM · CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:L
Weaknesses (CWE)
CWE-77, CWE-78
Affected products
0 configuration(s)
Published / Modified
2026-06-06 / 2026-06-17

NVD description (verbatim)

A vulnerability was identified in vertex-app vertex up to 2026.02.12. This issue affects some unknown processing of the file app/model/LogMod.js of the component Log Viewer Endpoint. Such manipulation of the argument req.query leads to os command injection. The attack can be executed remotely. The exploit is publicly available and might be used. The name of the patch is 805d82e7100d49b79b3beb1b9420e8e458987198. It is best practice to apply a patch to resolve this issue.

8 reference(s) · View on NVD →

SEC.co analysis · AI-assisted, reviewed against source

Technical summary

CVE-2026-11408 is an OS command injection vulnerability in the Log Viewer Endpoint component (app/model/LogMjs) of vertex-app. The vulnerability stems from insufficient input validation on the req.query parameter, which flows directly into system command execution. The attack vector is network-accessible, requires low attack complexity, and necessitates user-level privileges. Classification under CWE-77 (Improper Neutralization of Special Elements used in a Command) and CWE-78 (Improper Neutralization of Special Elements used in an OS Command) confirms the command injection root cause. The patch identifier 805d82e7100d49b79b3beb1b9420e8e458987198 addresses input sanitization in the affected code path.

Business impact

Command injection at the Log Viewer endpoint allows authenticated users to execute arbitrary code with the privileges of the application process. This enables lateral movement, data exfiltration, privilege escalation attempts, or deployment of persistent backdoors. Organizations relying on vertex-app for logging or monitoring face potential operational disruption, compliance violations if sensitive logs are accessed or altered, and reputational damage. The availability of public exploits means opportunistic attackers can readily weaponize this flaw against unpatched systems.

Affected systems

All deployments of vertex-app running version 2026.02.12 or earlier are affected. Organizations should inventory instances by version and prioritize those exposed to untrusted users or multi-tenant environments where lower-privileged accounts exist. Systems isolated to administrators only face reduced but non-zero risk.

Exploitability

The vulnerability is readily exploitable: it requires only network access and valid user credentials, both commonplace in typical deployments. Attack complexity is low, meaning no special environmental conditions are needed. The public availability of exploit code significantly accelerates the attack timeline from discovery to mass exploitation. The requirement for authentication raises the bar slightly compared to unauthenticated flaws, but does not eliminate risk in environments with permissive access controls or shared credentials.

Remediation

Apply the patch identified as commit 805d82e7100d49b79b3beb1b9420e8e458987198 to all vertex-app instances. Verify patch application by confirming the commit hash in your production environment. For environments unable to patch immediately, implement compensating controls: restrict network access to the Log Viewer endpoint via firewall or reverse proxy rules, limit user privileges to minimize the pool of potential attackers, and monitor command execution logs for suspicious activity.

Patch guidance

Consult the vertex-app vendor advisory for the specific release version and deployment procedure corresponding to patch 805d82e7100d49b79b3beb1b9420e8e458987198. Test the patch in a non-production environment before rollout to confirm compatibility with your application version and configuration. Given the low attack complexity and public exploits, prioritize this patch for deployment within 2-4 weeks depending on your change management cadence. Verify the patch application by reviewing the commit hash in your version control or release notes.

Detection guidance

Monitor for suspicious patterns in Log Viewer endpoint requests: look for URL-encoded special characters (backticks, semicolons, pipes, ampersands) in query parameters, particularly those directed at app/model/LogMod.js. Review application logs for unexpected command execution or process spawning originating from the logging module. Network intrusion detection systems should flag requests containing shell metacharacters in the req.query fields. Correlate authentication logs with command execution logs to identify which users triggered suspicious activity.

Why prioritize this

Although CVSS v3.1 rates this as MEDIUM (6.3), the practical risk is elevated due to (1) public exploit availability, (2) low attack complexity requiring no special conditions, (3) command execution enabling full system compromise, and (4) authentication requirement being a common baseline in most deployments. Organizations should treat this as HIGH priority despite the moderate CVSS score, especially if vertex-app is internet-facing or accessible to non-administrative users.

Risk score, explained

The CVSS v3.1 score of 6.3 reflects a network-accessible flaw requiring low privileges and low complexity, with limited impact scope confined to the compromised system (Confidentiality, Integrity, and Availability all marked as Low under the scoring matrix). However, the practical severity is higher: command injection typically escalates to full server compromise, public exploits compress the window for patching, and authenticated access is a low barrier in permissive environments. Security teams should weigh CVSS as one input among exploitability and business context rather than the sole decision criterion.

Frequently asked questions

Do I need valid credentials to exploit this vulnerability?

Yes. The vulnerability requires authentication—attackers must possess valid user-level credentials to access the Log Viewer endpoint. This rules out anonymous exploitation but does not eliminate risk in organizations with overly permissive access controls, shared credentials, or compromised accounts.

What versions of vertex-app are affected?

All versions up to and including 2026.02.12 are affected. Check your deployment version immediately and plan upgrades for any instance within this range. Versions released after the patch commit date should be safe, but verify against the vendor advisory.

Is this vulnerability being actively exploited in the wild?

Public exploit code exists and is available to potential attackers. This significantly increases the likelihood of active exploitation. Organizations should assume that unpatched systems are at elevated risk and prioritize patching accordingly.

Can I mitigate this without patching?

Temporary mitigations include restricting network access to the Log Viewer endpoint via firewall rules, disabling the endpoint if not in use, and limiting user roles that can access logging functions. However, these do not address the underlying flaw—patching remains the definitive remediation.

This analysis is provided for informational purposes and reflects publicly available information as of the vulnerability publication date. Security teams should independently verify all patch versions, affected product ranges, and vendor advisories against authoritative sources. No exploit code, proof-of-concept, or weaponized demonstrations are included in this analysis. Organizations are responsible for assessing their own exposure, testing patches in non-production environments, and implementing changes through their established change management processes. SEC.co makes no warranty regarding the completeness or accuracy of vendor patch information and recommends direct consultation with the vertex-app vendor for authoritative guidance. Source: NVD (public-domain), retrieved 2026-07-14. Analysis generated by SEC.co (claude-haiku-4-5).