I am not sure if this working as intended but,
While reviewing the source code (https://github.com/apache/groovy/blob/49ee146850d866513aa84bc49bf22e06687484d5/src/bin/startGroovy.bat#L95) I found that groovy.bat looks for java.exe from current working directory (CWD).
In my opinion, groovy.bat looks for java.exe from the current working directory (CWD), so an attacker could place a crafted java.exe files to execute arbitrary command. User interaction is required to exploit this vulnerability in that the target must visit a malicious page or open a malicious file to trigger this remotely.
This can also be exploited when groovy.bat is run via SMB shares were a malicious threat actor could store pre-build java.exe hidden the successful attack could lead to remote code execution.