PowerJob OpenAPI Endpoint Code Injection Vulnerability (CVE-2026-5739)

hello@craftedsignal.io — Tue, 07 Apr 2026 20:16:34 +0000

A critical code injection vulnerability, identified as CVE-2026-5739, has been discovered in PowerJob, an open-source distributed job scheduling and management platform. This vulnerability affects versions 5.1.0, 5.1.1, and 5.1.2. The vulnerability resides in the GroovyEvaluator.evaluate function of the /openApi/addWorkflowNode endpoint within the OpenAPI component. By manipulating the nodeParams argument, a remote attacker can inject and execute arbitrary code on the server. This vulnerability can be exploited without authentication, posing a significant threat to systems running vulnerable PowerJob instances. The vendor has been notified, but has not yet responded.

Attack Chain

Attacker identifies a vulnerable PowerJob instance running versions 5.1.0, 5.1.1, or 5.1.2.
The attacker crafts a malicious HTTP request targeting the /openApi/addWorkflowNode endpoint.
Within the HTTP request, the attacker injects malicious code into the nodeParams argument, leveraging the GroovyEvaluator.evaluate function.
The PowerJob server receives the request and passes the attacker-controlled nodeParams argument to the vulnerable function.
The GroovyEvaluator.evaluate function processes the malicious code, leading to arbitrary code execution on the server.
The attacker gains control of the PowerJob server with the privileges of the PowerJob process.
The attacker can then use this access to move laterally within the network, exfiltrate sensitive data, or cause a denial of service.

Impact

Successful exploitation of CVE-2026-5739 allows unauthenticated remote attackers to execute arbitrary code on the PowerJob server. This could lead to complete system compromise, data breaches, or disruption of critical job scheduling processes. Given the nature of job scheduling platforms, compromised servers could be used to compromise other systems in the network.

Recommendation

Upgrade PowerJob instances to a patched version that addresses CVE-2026-5739 as soon as a patch is released by the vendor.
Implement network segmentation to limit the impact of a potential compromise of the PowerJob server.
Monitor web server logs for suspicious requests targeting the /openApi/addWorkflowNode endpoint, looking for unusual characters or patterns in the nodeParams argument.
Deploy the Sigma rule Detect PowerJob Groovy Code Injection Attempt to detect exploitation attempts.

PowerJob SQL Injection Vulnerability (CVE-2026-5736)

hello@craftedsignal.io — Tue, 07 Apr 2026 19:16:48 +0000

CVE-2026-5736 is a SQL injection vulnerability affecting PowerJob, an open-source distributed job scheduling and management platform. The vulnerability resides in the InstanceController.java file within the powerjob-server component, specifically in versions 5.1.0, 5.1.1, and 5.1.2. An attacker can remotely exploit this vulnerability by manipulating the customQuery argument of the detailPlus endpoint, injecting malicious SQL code that is then executed by the application’s database. This could lead to unauthorized data access, modification, or deletion. Despite being reported through an issue report, the project has not yet provided a patch or mitigation. This vulnerability poses a significant risk to organizations using vulnerable versions of PowerJob, potentially enabling attackers to compromise sensitive data and disrupt critical job scheduling processes.

Attack Chain

Attacker identifies a vulnerable PowerJob instance running versions 5.1.0, 5.1.1, or 5.1.2.
Attacker crafts a malicious SQL injection payload, targeting the customQuery parameter of the /detailPlus endpoint.
Attacker sends a crafted HTTP request to the vulnerable /detailPlus endpoint, embedding the SQL injection payload within the customQuery parameter.
The PowerJob server receives the request and processes the customQuery parameter without proper sanitization or validation.
The unsanitized customQuery value is incorporated into an SQL query executed against the PowerJob database.
The injected SQL code is executed, allowing the attacker to bypass intended security restrictions and perform unauthorized database operations.
The attacker may extract sensitive data, modify existing records, or even gain control over the underlying database server.
Depending on the attacker’s objectives, they may leverage the compromised database to pivot to other systems or disrupt critical job scheduling processes.

Impact

Successful exploitation of CVE-2026-5736 can lead to a complete compromise of the PowerJob server and its associated database. An attacker could potentially gain access to sensitive data related to job schedules, configurations, and execution history. They could also modify existing jobs, create new malicious jobs, or even disrupt the entire job scheduling system. The exact impact depends on the scope of data stored in the PowerJob database and the attacker’s objectives, but could include data theft, service disruption, and potentially lateral movement within the compromised network.

Recommendation

Upgrade PowerJob to a patched version that addresses CVE-2026-5736 as soon as it becomes available from the vendor.
Implement input validation and sanitization on the customQuery parameter in the detailPlus endpoint to prevent SQL injection attacks.
Deploy the provided Sigma rule Detect Suspicious PowerJob customQuery Parameter to detect potential exploitation attempts targeting the vulnerable endpoint.
Monitor web server logs for suspicious requests to the /detailPlus endpoint containing potentially malicious SQL injection payloads, as covered in the logsource for the Sigma rule.

Powerjob — CraftedSignal Threat Feed

PowerJob OpenAPI Endpoint Code Injection Vulnerability (CVE-2026-5739)

Attack Chain

Impact

Recommendation

PowerJob SQL Injection Vulnerability (CVE-2026-5736)

Attack Chain

Impact

Recommendation