The SecurityEmissary is a P2P-based data-driven workflow engine that runs on a heterogeneous and multi-tiered network, with its Java source code available on the official GitHub repository of the US National Security Agency (NSA). An analysis of version 5.9.0 revealed several code vulnerabilities that allow remote attackers to execute arbitrary system commands on any Emissary server, potentially compromising the entire P2P network. The combination of these vulnerabilities enables various attack vectors, including Code Injection, Arbitrary File Upload, Arbitrary File Disclosure, and Reflected Cross-site-Scripting. An attacker can exploit these vulnerabilities by abusing intended features of the software, such as the web application's vulnerability to Cross-Site Request Forgery (CSRF) attacks. The analysis revealed that a simple authentication mechanism is not enough to secure a web application, and that developers' intentions can sometimes create opportunities for attackers. Emissary has since released patches to address these vulnerabilities, including version 6.1, which fixes most of the issues reported in this blog post.