Skip to main content

Apache Gravitino EUVDEUVD-2026-43324

| CVE-2026-41041 CRITICAL
Improper Handling of URL Encoding (Hex Encoding) (CWE-177)
2026-07-13
9.1
CVSS 3.1 · Vendor
Share

Severity by source

Vendor (CNA) PRIMARY
9.1 LOW
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
vuln.today AI
8.1 HIGH

Network REST API with low-complexity injection and high confidentiality/integrity impact; PR:L chosen because identifier submission normally requires authenticated API access, no availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:N/SC:N/SI:N/SA:N

Primary rating from Vendor (CNA).

CVSS VectorVendor

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
None

Lifecycle Timeline

6
Analysis Updated
Jul 13, 2026 - 19:28 vuln.today
v3 (cvss_changed)
Analysis Updated
Jul 13, 2026 - 19:28 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 13, 2026 - 19:07 vuln.today
cvss_changed
CVSS changed
Jul 13, 2026 - 19:07 NVD
9.1 (CRITICAL)
Patch available
Jul 13, 2026 - 12:01 EUVD
Analysis Generated
Jul 13, 2026 - 04:17 vuln.today

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Improper URL encoding in Apache Gravitino versions 1.0.0 through 1.2.0 lets remote attackers inject crafted path segments through unencoded, user-supplied metadata identifiers, redirecting or manipulating the internal HTTP requests Gravitino issues on the user's behalf. Because the CVSS vector (AV:N/PR:N) indicates no authentication and yields a 9.1 Critical score with high confidentiality and integrity impact, an attacker can potentially reach unintended endpoints, tamper with metadata operations, or exfiltrate data from back-end catalog services. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Gravitino REST API
Delivery
Submit crafted metadata identifier
Exploit
Unencoded name breaks URL path
Execution
Request routed to unintended endpoint
Impact
Read or tamper with metadata

Vulnerability AssessmentAI

Exploitation Exploitation requires the ability to send a request to Apache Gravitino's REST metadata API and to control a user-supplied identifier (metalake, catalog, schema, or table name) that is placed into a URL path - the injection occurs specifically because that identifier is not URL-encoded before being embedded in a request. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The signals are strong but not fully corroborated. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with reach to the Gravitino REST API submits a metadata operation whose object identifier contains crafted, unencoded path characters (for example a name embedding '../' or an alternate route), causing Gravitino to build and send an HTTP request to an unintended endpoint or back-end catalog service. Leveraging the low attack complexity, they use this to read metadata they should not access or manipulate catalog state, undermining confidentiality and integrity. …
Remediation Vendor-released patch: version 1.2.1 - upgrade all Gravitino deployments to 1.2.1 or later, which the ASF advisory states fixes the issue. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, conduct an inventory to identify all Gravitino deployments running versions 1.0.0 through 1.2.0 and determine criticality and network exposure. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

EUVD-2026-43324 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy