CVE-2026-40564 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache Flink Kubernetes Operator versions 1.3.0 through 1.14.x, particularly those with multi-tenant Kubernetes environments where users have Custom Resource creation permissions. Security teams should prioritize patching due to the potential for sensitive file disclosure and internal network reconnaissance via SSRF.

Technical summary

The Apache Flink Kubernetes Operator fails to validate the FlinkSessionJob jarURI parameter, allowing attackers with CR create permissions to read arbitrary files from the operator pod filesystem and perform server-side request forgery against internal and external resources. The vulnerability affects versions 1.3.0 through 1.14.x and is resolved in version 1.15.0.

Defensive priority

High

Recommended defensive actions

• Upgrade Apache Flink Kubernetes Operator to version 1.15.0 or later
• Review and audit FlinkSessionJob Custom Resources for unauthorized jarURI values
• Implement network segmentation to restrict operator pod access to sensitive internal resources
• Monitor for suspicious outbound connections from Flink Kubernetes Operator pods
• Validate that users with CR create permissions follow principle of least privilege

Evidence notes

The vulnerability description indicates that the jarURI parameter lacks validation, enabling unauthorized file access and SSRF. The affected versions are explicitly stated as 1.3.0 before 1.15.0. The official fix is available in version 1.15.0.

Official resources