PatchSiren cyber security CVE debrief
CVE-2026-35194 Apache Software Foundation CVE debrief
Apache Flink versions 1.15.0 through 1.20.x and 2.0.0 through 2.x contain a code injection vulnerability in SQL code generation. Authenticated users with query submission privileges can execute arbitrary code on TaskManagers by submitting maliciously crafted SQL queries. The vulnerability stems from improper escaping of user-controlled strings interpolated into generated Java code, affecting JSON functions (introduced in 1.15.0) and LIKE expressions with ESCAPE clauses (introduced in 1.17.0). Attackers can break out of string literals to inject arbitrary expressions. The CVSS 3.1 score of 8.1 reflects network attack vector, low attack complexity, low privileges required, no user interaction, and high impact to confidentiality and integrity. Apache released patches on 2026-05-15 addressing this issue in versions 1.20.4, 2.0.2, 2.1.2, and 2.2.1. Organizations should prioritize patching Flink deployments, particularly those exposing SQL query interfaces to multiple users or untrusted networks.
- Vendor
- Apache Software Foundation
- Product
- Apache Flink
- CVSS
- HIGH 8.1
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-15
- Original CVE updated
- 2026-05-18
- Advisory published
- 2026-05-15
- Advisory updated
- 2026-05-18
Who should care
Organizations running Apache Flink in multi-tenant environments, data platform teams exposing SQL interfaces to analysts, security teams managing data processing infrastructure, and compliance officers responsible for data processing security controls
Technical summary
The vulnerability exists in Flink's SQL code generation pipeline where user-provided strings are interpolated into generated Java source code without proper escaping. Two specific attack vectors are identified: JSON functions (affecting 1.15.0+) and LIKE expressions with ESCAPE clauses (affecting 1.17.0+). By crafting input that breaks out of string literal context, attackers can inject arbitrary Java expressions that execute on TaskManager nodes. This represents a classic code injection pattern (CWE-94) in a data processing context where SQL interfaces are exposed to end users. The attack requires authenticated access with query submission privileges, making insider threat and compromised credential scenarios primary risk vectors.
Defensive priority
high
Recommended defensive actions
- Upgrade Apache Flink to version 1.20.4, 2.0.2, 2.1.2, or 2.2.1 or later
- Restrict SQL query submission privileges to trusted administrative accounts only
- Audit Flink deployment access controls and query submission interfaces
- Monitor TaskManager logs for anomalous code execution or unexpected process spawning
- Review SQL query logs for suspicious patterns involving JSON functions or ESCAPE clauses
- Implement network segmentation to limit TaskManager exposure to untrusted networks
- Validate that generated Java code paths in Flink SQL planner are not accessible to non-administrative users
Evidence notes
Vulnerability confirmed through official Apache security advisory and NVD analysis. CWE-94 (Improper Control of Generation of Code) classification provided by Apache security team. Affected version ranges validated against CPE criteria in NVD record.
Official resources
-
CVE-2026-35194 CVE record
CVE.org
-
CVE-2026-35194 NVD detail
NVD
-
Source item URL
nvd_modified
-
Mitigation or vendor reference
[email protected] - Mailing List, Vendor Advisory
-
Mitigation or vendor reference
af854a3a-2127-422b-91ae-364da2661108 - Mailing List, Third Party Advisory
2026-05-15