CVE-2026-35194
Last modified
CVE-2026-35194 is a high-severity vulnerability rated 8.1/10 on the CVSS scale. Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). EPSS estimates a 0.38% chance of exploitation in the next 30 days.
Description
Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). User-controlled strings are interpolated into generated Java code without proper escaping, allowing attackers to break out of string literals and inject arbitrary expressions. Users are recommended to upgrade to either version 1.20.4, 2.0.2, 2.1.2 or 2.2.1, which fixes this issue.
Metrics
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Weakness Enumeration
Affected Software
| Vendor | Product | Versions |
|---|---|---|
| Apache | Flink | >= 1.15.0, < 1.20.4 |
| Apache | Flink | >= 2.0.0, < 2.0.2 |
| Apache | Flink | >= 2.1.0, < 2.1.2 |
| Apache | Flink | 2.2.0 |
References
- https://lists.apache.org/thread/qh52bw4hhvy7n2owd8b3bt51mz0lvj9xMailing List, Vendor Advisory
- http://www.openwall.com/lists/oss-security/2026/05/15/20Mailing List, Third Party Advisory
Timeline
- Published
- Last Modified
- Status
- Analyzed
Frequently Asked Questions
What is CVE-2026-35194?
How severe is CVE-2026-35194?
How do I fix CVE-2026-35194?
Are you affected by CVE-2026-35194?
Run a free Strix scan to check your systems for this vulnerability.
Scan your code nowSource: NVD / NIST