Skip to main content

Apache Flink CVE-2026-35194

| EUVDEUVD-2026-30550 HIGH
Code Injection (CWE-94)
2026-05-15 apache GHSA-2f54-v4hm-fx73
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

4
Analysis Generated
May 15, 2026 - 19:22 vuln.today
CVSS changed
May 15, 2026 - 19:22 NVD
8.1 (HIGH)
Patch available
May 15, 2026 - 17:01 EUVD
CVE Published
May 15, 2026 - 15:27 nvd
UNKNOWN (no severity yet)

Blast Radius

ecosystem impact
† from your stack dependencies † transitive graph · vuln.today resolves 4-path depth
  • 27 maven packages depend on org.apache.flink:flink-table-api-java (8 direct, 19 indirect)
  • 6 maven packages depend on org.apache.flink:flink-table-planner_2.12 (6 direct, 0 indirect)
  • 23 maven packages depend on org.apache.flink:flink-table-runtime (19 direct, 4 indirect)

Ecosystem-wide dependent count for version 1.15.0 and other introduced versions.

DescriptionCVE.org

Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). User-controlled strings are interpolated into generated Java code without proper escaping, allowing attackers to break out of string literals and inject arbitrary expressions.

Users are recommended to upgrade to either version 1.20.4, 2.0.2, 2.1.2 or 2.2.1, which fixes this issue.

AnalysisAI

Code injection in Apache Flink's SQL engine allows authenticated users to execute arbitrary code on TaskManagers through malicious SQL queries. The vulnerability affects JSON functions in versions 1.15.0+ and LIKE expressions with ESCAPE clauses in versions 1.17.0+, where user-controlled strings are interpolated into generated Java code without proper escaping. Apache has released patches in versions 1.20.4, 2.0.2, 2.1.2 and 2.2.1.

Technical ContextAI

Apache Flink is a distributed stream processing framework that includes a SQL engine which generates Java code dynamically from SQL queries. The vulnerability (CWE-94: Code Injection) occurs when processing SQL queries containing JSON functions or LIKE expressions with ESCAPE clauses. The SQL-to-Java code generation process fails to properly escape user-controlled strings when embedding them into generated Java source code, allowing attackers to break out of string literals and inject arbitrary Java expressions that execute within the TaskManager JVM.

RemediationAI

Vendor-released patches are available in Apache Flink versions 1.20.4, 2.0.2, 2.1.2 and 2.2.1. Organizations should upgrade to the appropriate patched version based on their current deployment. As an immediate mitigation, restrict SQL query submission privileges to trusted users only and audit existing SQL queries for potentially malicious patterns in JSON functions and LIKE expressions with ESCAPE clauses. Consider implementing input validation for any externally-sourced data incorporated into SQL queries. Review the Apache security advisory at https://lists.apache.org/thread/qh52bw4hhvy7n2owd8b3bt51mz0lvj9x for complete remediation details.

More in Java

View all
CVE-2012-4681 CRITICAL POC
9.8 Aug 28

Oracle Java SE 7 Update 6 and earlier contains multiple sandbox bypass vulnerabilities via the ClassFinder and forName m

CVE-2015-7450 CRITICAL POC
9.8 Jan 02

Remote code execution in IBM Sterling B2B Integrator, Sterling Integrator, and Tivoli Common Reporting allows unauthenti

CVE-2013-2465 CRITICAL POC
9.8 Jun 18

Java Runtime Environment sandbox bypass via incorrect image channel verification in 2D component allows remote unauthent

CVE-2011-3544 CRITICAL POC
9.8 Oct 19

Oracle Java SE JDK/JRE 7 and 6 Update 27 and earlier allows remote code execution with complete system compromise throug

CVE-2010-1871 HIGH POC
8.8 Aug 05

JBoss Seam 2 in Red Hat JBoss EAP 4.3.0 fails to sanitize JBoss Expression Language inputs, allowing remote attackers to

CVE-2012-1723 CRITICAL POC
9.8 Jun 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 update 4 and earlier, 6 up

CVE-2013-0422 CRITICAL POC
9.8 Jan 10

Multiple vulnerabilities in Oracle Java 7 before Update 11 allow remote attackers to execute arbitrary code by (1) using

CVE-2012-0507 CRITICAL POC
9.8 Jun 07

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 2 and earlier, 6 Up

CVE-2015-4852 CRITICAL POC
9.8 Nov 18

The WLS Security component in Oracle WebLogic Server 10.3.6.0, 12.1.2.0, 12.1.3.0, and 12.2.1.0 allows remote attackers

CVE-2012-5076 CRITICAL POC
9.8 Oct 16

Unspecified vulnerability in the Java Runtime Environment (JRE) component in Oracle Java SE 7 Update 7 and earlier allow

CVE-2017-3066 CRITICAL POC
9.8 Apr 27

Remote unauthenticated attackers can execute arbitrary code on Adobe ColdFusion servers through Java deserialization fla

CVE-2012-0391 CRITICAL POC
9.8 Jan 08

The ExceptionDelegator component in Apache Struts before 2.2.3.1 interprets parameter values as OGNL expressions during

Share

CVE-2026-35194 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy