Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Lifecycle Timeline
8DescriptionCVE.org
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data
Affect Version: This issue affects Apache Atlas: from 0.8 through 2.4.0.
For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration.
atlas.dsl.executor.traversal=false
Mitigation: Users are recommended to upgrade to version 2.5.0, which fixes the issue.
AnalysisAI
Code injection in Apache Atlas DSL search endpoint allows authenticated attackers to manipulate Gremlin traversal queries and access unauthorized data. Affects versions 0.8 through 2.4.0; exploitable in 2.0+ only when non-default configuration 'atlas.dsl.executor.traversal=false' is set. EPSS score of 0.03% (9th percentile) suggests low widespread exploitation probability. No active exploitation confirmed per CISA KEV or vendor advisory. Fixed in version 2.5.0.
Technical ContextAI
Apache Atlas is a metadata management and governance framework for Hadoop ecosystems. The vulnerability resides in the DSL (Domain Specific Language) search endpoint, which processes user queries and translates them into Gremlin graph traversal operations against the underlying metadata graph database. CWE-94 (Code Injection) indicates the application improperly neutralizes special elements in user input before incorporating them into executable code. Attackers can inject malicious Gremlin traversal logic within grammar-allowed characters to alter query execution paths. For Atlas 2.0+, the vulnerability requires the non-default configuration setting 'atlas.dsl.executor.traversal=false', which changes the DSL execution engine behavior. CPE cpe:2.3:a:apache_software_foundation:apache_atlas identifies the Apache Software Foundation product line.
RemediationAI
Upgrade to Apache Atlas version 2.5.0, which addresses the code injection vulnerability according to the vendor advisory at https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0plx7jhmfl. For organizations unable to upgrade immediately: if running Atlas 2.0-2.4.0, ensure the configuration setting 'atlas.dsl.executor.traversal' is set to 'true' (the default value) to prevent exploitation, though this is a workaround rather than complete fix. Organizations running versions prior to 2.0 have no configuration-based mitigation and should prioritize upgrading. As a defense-in-depth measure, restrict DSL search endpoint access to only trusted authenticated users through network segmentation or application-level access controls, though this reduces functionality. Review Atlas access logs for suspicious Gremlin query patterns or unexpected metadata access by authenticated users to detect potential exploitation attempts.
Same weakness CWE-94 – Code Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-26979
GHSA-35xx-9xrg-gwhf