Skip to main content
2 CVEs CRITICAL CVSS 9.1

Apache Gravitino Path Injection and SSRF Flaws

2026-07-13

CVE-2026-41041 CRITICAL PATCH

Improper URL encoding in Apache Gravitino versions 1.0.0 through 1.2.0 lets remote attackers inject crafted path segments through unencoded, user-supplied metadata identifiers, redirecting or manipulating the internal HTTP requests Gravitino issues on the user's behalf. Because the CVSS vector (AV:N/PR:N) indicates no authentication and yields a 9.1 Critical score with high confidentiality and integrity impact, an attacker can potentially reach unintended endpoints, tamper with metadata operations, or exfiltrate data from back-end catalog services. No public exploit identified at time of analysis, and the flaw is fixed in version 1.2.1.

9.1
CVSS
0.2%
EPSS
CVE-2026-49876 MEDIUM PATCH

Authenticated SSRF in Apache Gravitino's JobManager component (versions 1.0.0 through 1.2.1) enables authenticated users to coerce the server into making arbitrary outbound HTTP requests to internal network hosts and cloud instance metadata services (e.g., AWS IMDS at 169.254.169.254, GCP metadata endpoints) by supplying unvalidated URIs within job templates. In cloud-hosted deployments this is a credential-theft primitive: metadata service access can yield IAM role credentials with blast radius extending well beyond the Gravitino service itself. No public exploit or CISA KEV listing has been identified at time of analysis; vendor labels severity as moderate, though cloud-metadata reachability elevates real-world impact above that rating in typical deployment contexts.

6.5
CVSS
0.2%
EPSS

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy