Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Lifecycle Timeline
5DescriptionCVE.org
Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.
The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files from the operator pod's filesystem and pull content from any backing store reachable through Flink's pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.
Users are recommended to upgrade to version 1.15.0, which fixes the issue.
AnalysisAI
Unvalidated jarURI handling in Apache Flink Kubernetes Operator exposes authenticated low-privilege users to server-side request forgery and arbitrary file read primitives against the operator pod. Any Kubernetes principal holding Custom Resource create permissions can submit a malicious FlinkSessionJob CR with a crafted jarURI - pointing to local filesystem paths, internal cloud metadata endpoints, link-local addresses, or any backing store reachable through Flink's pluggable filesystem layer - and retrieve that content via the submitted job. No public exploit has been identified at time of analysis, and EPSS sits at 0.01% (3rd percentile), but the confidentiality impact is rated High by NVD given the breadth of accessible internal resources.
Technical ContextAI
Apache Flink Kubernetes Operator (CPE: cpe:2.3:a:apache_software_foundation:apache_flink_kubernetes_operator) manages Flink workloads on Kubernetes through Custom Resource Definitions (CRDs), including FlinkSessionJob. The jarURI field in FlinkSessionJob CRs instructs the operator to fetch a JAR artifact before scheduling execution. Because Flink exposes a pluggable filesystem abstraction, the URI can resolve against local file paths, object storage backends (S3, HDFS, GCS), or HTTP/HTTPS endpoints. The root cause class is CWE-552 (Files or Directories Accessible to External Parties): the operator performs no ownership validation, no URI scheme allowlist, no hostname or IP-range restriction, and no protection against RFC 1918 or link-local (169.254.x.x) addresses for HTTP-scheme URIs. This dual nature - filesystem traversal plus SSRF - is what elevates the practical impact beyond a single vulnerability class.
RemediationAI
Vendor-released patch: Apache Flink Kubernetes Operator 1.15.0, which introduces jarURI validation. Upgrade immediately following the Apache advisory at https://lists.apache.org/thread/jvxs2kh2o60sl7qkl5nss4r5phzfl4cz. If immediate upgrade is not possible, restrict Kubernetes RBAC so that only fully trusted principals (dedicated operator service accounts, not developer or CI namespaces) hold create/update permissions on FlinkSessionJob CRs - this directly removes the prerequisite for exploitation and is the most impactful compensating control. Additionally, apply Kubernetes NetworkPolicy to prevent the operator pod from initiating outbound connections to RFC 1918 ranges, link-local addresses (169.254.0.0/16), and the cluster's internal API server CIDR, which limits SSRF reach even if an attacker submits a malicious URI; note that this does not prevent local filesystem reads. Pod Security Admission or OPA/Gatekeeper policies can be used to reject FlinkSessionJob resources with non-allowlisted URI schemes as an additional layer.
More in Kubernetes
View allA critical vulnerability in Kubernetes ingress-nginx controller allows unauthenticated attackers with pod network access
Credential-harvesting malware compromised 84 versions of 42 TanStack npm packages on 2026-05-11 via chained GitHub Actio
Kubernetes ingress-nginx contains a configuration injection vulnerability via the mirror-target and mirror-host Ingress
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-url` Ingres
A security issue was discovered in ingress-nginx https://github.com/kubernetes/ingress-nginx where the `auth-tls-match-c
Kubernetes API server in all versions allow an attacker who is able to create a ClusterIP service and set the spec.exter
Argo CD is a declarative, GitOps continuous delivery tool for Kubernetes. Rated critical severity (CVSS 9.9), this vulne
The Kubernetes integration in GitLab Enterprise Edition 11.x before 11.2.8, 11.3.x before 11.3.9, and 11.4.x before 11.4
Kyverno Kubernetes policy engine prior to 1.x has a privilege escalation vulnerability (CVSS 9.9) allowing policy bypass
Kamaji is the Hosted Control Plane Manager for Kubernetes. Rated critical severity (CVSS 9.9), this vulnerability is rem
Jumpserver is a popular open source bastion host, and Koko is a Jumpserver component that is the Go version of coco, ref
String filter bypass in Inspektor Gadget Kubernetes eBPF tooling before fix. Insufficient string escaping enables filter
Same technique Information Disclosure
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-31846
GHSA-rj6x-mg28-wf4x