How is CVE-2026-39006 exploited?

Network reachability (required): The attacker must reach the SNMP4J-Agent service over the network; the vulnerability is remotely exploitable with no requirement for local or physical access. Authentication (not-required): No credentials or prior account access are needed; the attacker can interact with the vulnerable component as an anonymous, unauthenticated party. Victim interaction (not-required): No action from a user or operator on the target system is required to trigger the vulnerability. Attack complexity (info): Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

What is the impact of CVE-2026-39006?

Attacker executes arbitrary code on the host running SNMP4J-Agent, gaining full process-level control. Confidential data accessible to the agent process, including configuration files and secrets stored on disk, is exposed to the attacker. The attacker can write or overwrite files and application state, compromising the integrity of the running service and any data it manages. The attacker can terminate or destabilize the agent process, disrupting SNMP-based monitoring and management functions dependent on that service.

Back to search

CRITICALCVE-2026-39006Published 2026-06-15Modified 2026-06-16CNA mitre

CVE-2026-39006: An issue in SNMP4J-Agent 3

An issue in SNMP4J-Agent 3.8.3 allows a remote attacker to execute arbitrary code via the snmp4jCfgStoragePath component.

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

HarborGuard Analysis

Synopsis

Remote code execution vulnerability in SNMP4J-Agent 3.8.3 allows an unauthenticated attacker to reach the affected service over a network and exploit the snmp4jCfgStoragePath component. No authentication or user interaction is required, and successful exploitation gives the attacker full control to execute arbitrary code on the host. HarborGuard is tracking the advisory for patch availability, and detection is available now for any images containing the affected version.

HarborGuard Coverage

Detection

Detection for CVE-2026-39006 is available across every HarborGuard environment, with the CVE matched against images in customer registries and CI/CD pipelines within minutes of publication. Coverage extends to custom-built images that bundle SNMP4J-Agent 3.8.3 alongside other application layers.

Available

Triage

Triage is available with the full CVSS v3.1 score of 9.8 (Critical) surfaced against each matched image, weighted by the compliance policy configured for that environment. Findings are routed to the appropriate team inbox within each customer organization based on policy-defined ownership rules.

Available

Patch

No upstream fix version has been published for CVE-2026-39006. HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment an upstream fix is released. For customers with auto-remediation enabled, the rebuild, regression run, and PR against affected workloads will be triggered automatically at that time.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The attacker must reach the SNMP4J-Agent service over the network; the vulnerability is remotely exploitable with no requirement for local or physical access.
AuthenticationNot required
No credentials or prior account access are needed; the attacker can interact with the vulnerable component as an anonymous, unauthenticated party.
Victim interactionNot required
No action from a user or operator on the target system is required to trigger the vulnerability.
Attack complexityDetail
Attack complexity is low, meaning the exploit is reliable and does not depend on race conditions, specific memory layouts, or other environmental factors.

Blast Radius

Attacker executes arbitrary code on the host running SNMP4J-Agent, gaining full process-level control.
Confidential data accessible to the agent process, including configuration files and secrets stored on disk, is exposed to the attacker.
The attacker can write or overwrite files and application state, compromising the integrity of the running service and any data it manages.
The attacker can terminate or destabilize the agent process, disrupting SNMP-based monitoring and management functions dependent on that service.

How HarborGuard Handles This

Available on HarborGuard: continuous scanning for CVE-2026-39006 is active across all customer environments, matching any image that packages SNMP4J-Agent 3.8.3. Because no upstream fix has been published, HarborGuard monitors the advisory on every ingest cycle and will trigger the patched-image rebuild pipeline the moment a fix version appears. For customers with auto-remediation enabled, that pipeline includes a rebuild, a regression test run, and a PR opened against affected workloads, with no manual intervention required. While no patch is available, compensating controls worth considering include isolating containers running SNMP4J-Agent behind a restrictive network policy that limits inbound access to the SNMP port to known management hosts only, applying egress filtering to prevent outbound callbacks from a compromised agent, and disabling or gating the snmp4jCfgStoragePath feature through configuration if the deployment does not require it.

See how HarborGuard automates this

Affected packages

n/a / n/a
n/a

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References

github.com

Metrics

Get notified