Skip to main content

Apache Atlas CVE-2026-40563

| EUVDEUVD-2026-26979 HIGH
Code Injection (CWE-94)
2026-05-04 apache GHSA-35xx-9xrg-gwhf
8.1
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
8.1 HIGH
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Primary rating from NVD · only source for this CVE.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

8
Analysis Updated
May 06, 2026 - 14:27 vuln.today
v2 (cvss_changed)
Re-analysis Queued
May 06, 2026 - 14:22 vuln.today
cvss_changed
CVSS changed
May 06, 2026 - 14:22 NVD
7.1 (HIGH) 8.1 (HIGH)
Analysis Generated
May 04, 2026 - 18:45 vuln.today
CVSS changed
May 04, 2026 - 17:22 NVD
7.1 (None) 7.1 (HIGH)
EUVD ID Assigned
May 04, 2026 - 16:00 euvd
EUVD-2026-26979
Analysis Generated
May 04, 2026 - 16:00 vuln.today
CVE Published
May 04, 2026 - 15:17 nvd
HIGH 7.1

DescriptionCVE.org

Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data

Affect Version: This issue affects Apache Atlas: from 0.8 through 2.4.0.

For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration.

atlas.dsl.executor.traversal=false

Mitigation: Users are recommended to upgrade to version 2.5.0, which fixes the issue.

AnalysisAI

Code injection in Apache Atlas DSL search endpoint allows authenticated attackers to manipulate Gremlin traversal queries and access unauthorized data. Affects versions 0.8 through 2.4.0; exploitable in 2.0+ only when non-default configuration 'atlas.dsl.executor.traversal=false' is set. EPSS score of 0.03% (9th percentile) suggests low widespread exploitation probability. No active exploitation confirmed per CISA KEV or vendor advisory. Fixed in version 2.5.0.

Technical ContextAI

Apache Atlas is a metadata management and governance framework for Hadoop ecosystems. The vulnerability resides in the DSL (Domain Specific Language) search endpoint, which processes user queries and translates them into Gremlin graph traversal operations against the underlying metadata graph database. CWE-94 (Code Injection) indicates the application improperly neutralizes special elements in user input before incorporating them into executable code. Attackers can inject malicious Gremlin traversal logic within grammar-allowed characters to alter query execution paths. For Atlas 2.0+, the vulnerability requires the non-default configuration setting 'atlas.dsl.executor.traversal=false', which changes the DSL execution engine behavior. CPE cpe:2.3:a:apache_software_foundation:apache_atlas identifies the Apache Software Foundation product line.

RemediationAI

Upgrade to Apache Atlas version 2.5.0, which addresses the code injection vulnerability according to the vendor advisory at https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0plx7jhmfl. For organizations unable to upgrade immediately: if running Atlas 2.0-2.4.0, ensure the configuration setting 'atlas.dsl.executor.traversal' is set to 'true' (the default value) to prevent exploitation, though this is a workaround rather than complete fix. Organizations running versions prior to 2.0 have no configuration-based mitigation and should prioritize upgrading. As a defense-in-depth measure, restrict DSL search endpoint access to only trusted authenticated users through network segmentation or application-level access controls, though this reduces functionality. Review Atlas access logs for suspicious Gremlin query patterns or unexpected metadata access by authenticated users to detect potential exploitation attempts.

Share

CVE-2026-40563 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy