What is the CVSS score of EUVD-2026-26979?

EUVD-2026-26979 has a CVSS 3.1 base score of 8.1 (High). CVSS vector: CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N. EPSS exploitation probability: 0.0%.

Which versions of Apache Atlas are affected by EUVD-2026-26979?

Apache Atlas versions 0.8-2.4.0 contain a code injection vulnerability in the DSL search endpoint that permits authenticated users to bypass data access controls and retrieve sensitive metadata.. A patch is available.

Apache Atlas EUVD-2026-26979

| CVE-2026-40563 HIGH

Code Injection (CWE-94)

2026-05-04 apache

GHSA-35xx-9xrg-gwhf

RCE Apache Code Injection

8.1

CVSS 3.1

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Attack Vector

Network

Attack Complexity

Low

Privileges Required

Low

User Interaction

None

Scope

Unchanged

Confidentiality

High

Integrity

High

Availability

None

Lifecycle Timeline

Analysis Updated

May 06, 2026 - 14:27 vuln.today

v2 (cvss_changed)

Re-analysis Queued

May 06, 2026 - 14:22 vuln.today

cvss_changed

CVSS changed

May 06, 2026 - 14:22 NVD

7.1 (HIGH) 8.1 (HIGH)

Analysis Generated

May 04, 2026 - 18:45 vuln.today

CVSS changed

May 04, 2026 - 17:22 NVD

7.1 (None) 7.1 (HIGH)

EUVD ID Assigned

May 04, 2026 - 16:00 euvd

EUVD-2026-26979

Analysis Generated

May 04, 2026 - 16:00 vuln.today

CVE Published

May 04, 2026 - 15:17 nvd

HIGH 7.1

DescriptionNVD

Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data

Affect Version: This issue affects Apache Atlas: from 0.8 through 2.4.0.

For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration.

atlas.dsl.executor.traversal=false

Mitigation: Users are recommended to upgrade to version 2.5.0, which fixes the issue.

AnalysisAI

Code injection in Apache Atlas DSL search endpoint allows authenticated attackers to manipulate Gremlin traversal queries and access unauthorized data. Affects versions 0.8 through 2.4.0; exploitable in 2.0+ only when non-default configuration 'atlas.dsl.executor.traversal=false' is set. …

RemediationAI

Within 24 hours: inventory all Apache Atlas deployments and identify instances running versions 0.8-2.4.0, prioritizing those with 'atlas.dsl.executor.traversal=false' in configuration. Within 7 days: upgrade affected instances to Apache Atlas 2.5.0 or later. …

Analysis

Detailed AI-generated intelligence summary covering attack vector, impact assessment, affected versions, remediation steps, and indicators of compromise.

POChttps://••••••••••.com/exploit

PATCHhttps://••••••••••.com/patch

ADVISORYhttps://••••••••••.com/advisory

Full analysis requires sign-in

Get intelligence summaries, risk assessment, exploit details, threat intel, and remediation guidance.

More from same product – last 7 days

CVE-2025-48977 HIGH This Week

8.5 May 28

Path traversal in Apache Ignite 2.0.0 through 2.17.0 lets authenticated REST API users read arbitrary files on the serve

CVE-2026-42782 HIGH This Week

7.2 May 25

Code execution via Groovy sandbox bypass in Apache Syncope 3.0 through 3.0.16, 4.0 through 4.0.5, and 4.1.0 allows a hig

CVE-2026-43827 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro have a session fixation vulnerability. This issue affects Apache Shiro from 1.0

CVE-2026-43828 MEDIUM This Month

5.9 May 25

Default configurations of Apache Shiro send sensitive cookies in HTTPS session without 'Secure' attribute. This issue

CVE-2026-44598 MEDIUM This Month

5.1 May 25

With valid login credentials, URL Redirection to Untrusted Site ('Open Redirect'), Server-Side Request Forgery (SSRF) vu

EUVD-2026-26979 vulnerability details – vuln.today

Back