Skip to main content

Apache Gravitino EUVDEUVD-2026-43323

| CVE-2026-49876 MEDIUM
Server-Side Request Forgery (SSRF) (CWE-918)
2026-07-13
6.5
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
6.5 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
vuln.today AI
7.7 HIGH

Network-reachable API, low complexity; PR:L reflects mandatory authentication; S:C and C:H capture SSRF pivot to cloud metadata credential disclosure; no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:N/VA:N/SC:H/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
None
Availability
None

Lifecycle Timeline

2
CVSS changed
Jul 13, 2026 - 15:22 NVD
6.5 (MEDIUM)
Analysis Generated
Jul 13, 2026 - 04:16 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Authenticated SSRF in Apache Gravitino's JobManager component (versions 1.0.0 through 1.2.1) enables authenticated users to coerce the server into making arbitrary outbound HTTP requests to internal network hosts and cloud instance metadata services (e.g., AWS IMDS at 169.254.169.254, GCP metadata endpoints) by supplying unvalidated URIs within job templates. In cloud-hosted deployments this is a credential-theft primitive: metadata service access can yield IAM role credentials with blast radius extending well beyond the Gravitino service itself. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid Gravitino credentials
Delivery
Craft job template with internal URI
Exploit
Submit template to JobManager API
Execution
Gravitino server fetches target URL
Persist
Receive cloud metadata or internal service response
Impact
Extract IAM credentials or sensitive data

Vulnerability AssessmentAI

Exploitation Exploitation requires an authenticated session with sufficient privileges to submit job templates via the Gravitino JobManager API - unauthenticated access is explicitly not sufficient. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score was provided with this advisory, which limits quantitative comparison; all metric assessments below are independently derived. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who holds valid Gravitino credentials submits a job template whose URI field is set to http://169.254.169.254/latest/meta-data/iam/security-credentials/ (AWS) or http://metadata.google.internal/computeMetadata/v1/instance/service-accounts/ (GCP). The Gravitino JobManager fetches the URI server-side and returns the response - including ephemeral cloud IAM credentials - to the attacker, who then uses those credentials to authenticate directly to cloud APIs with the permissions of the Gravitino instance's IAM role. …
Remediation The primary remediation is upgrading Apache Gravitino to version 1.3.0, which is confirmed by the Apache advisory to contain the fix for this issue. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Gravitino deployments, versions in use, and cloud environment associations. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43323 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy