• Home
  • cyber
  • Apache Software Foundation: Critical Apache Flink Vulnerability Enables Remote code execution Attacks
cyber Vulnerability

Apache Software Foundation: Critical Apache Flink Vulnerability Enables Remote code execution Attacks

May 15, 2026 2 min read
Apache Software Foundation: Critical Apache Flink Vulnerability Enables Remote code execution Attacks

Critical RCE Vulnerability in Apache Flink Exposes Distributed Data Processing Clusters

A newly disclosed critical vulnerability in Apache Flink (CVE-2026-35194) enables remote code execution (RCE) via SQL injection flaws in the platform’s code generation engine. The flaw stems from improper sanitization of user-supplied input in Flink’s SQL-to-Java translation process, allowing authenticated attackers with query submission privileges to inject malicious payloads and execute arbitrary code on TaskManager nodes.

The vulnerability affects JSON functions (introduced in Flink 1.15.0) and LIKE expressions with ESCAPE clauses (introduced in 1.17.0). By crafting specially designed SQL queries, attackers can manipulate the code generation process, breaking out of string literals to inject Java expressions or method calls. Successful exploitation could lead to full cluster compromise, data manipulation, or lateral movement within the environment posing heightened risks in multi-tenant or shared deployments.

Affected Versions:

  • Apache Flink 1.15.0 – 1.20.x (before 1.20.4)
  • Apache Flink 2.0.0 – 2.x (before 2.0.2, 2.1.2, or 2.2.1)

The issue was publicly disclosed by Apache contributor Martijn Visser on May 15, 2026, and rated critical due to its potential impact on production clusters. Apache has released patched versions (1.20.4, 2.0.2, 2.1.2, 2.2.1) to mitigate the flaw. Organizations are advised to upgrade immediately, restrict query submission privileges, monitor for anomalous SQL activity, and implement runtime security controls on TaskManager nodes.

Source: https://cybersecuritynews.com/apache-flink-vulnerability/

The Apache Software Foundation cybersecurity rating report: https://www.rankiteo.com/company/the-apache-software-foundation

"id": "THE1779207955",
"linkid": "the-apache-software-foundation",
"type": "Vulnerability",
"date": "5/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"
{'affected_entities': [{'industry': 'Technology/Big Data',
                        'name': 'Apache Flink',
                        'type': 'Software'}],
 'attack_vector': 'SQL Injection',
 'date_publicly_disclosed': '2026-05-15',
 'description': 'A newly disclosed critical vulnerability in Apache Flink '
                '(CVE-2026-35194) enables remote code execution (RCE) via SQL '
                'injection flaws in the platform’s code generation engine. The '
                'flaw stems from improper sanitization of user-supplied input '
                'in Flink’s SQL-to-Java translation process, allowing '
                'authenticated attackers with query submission privileges to '
                'inject malicious payloads and execute arbitrary code on '
                'TaskManager nodes. The vulnerability affects JSON functions '
                'and LIKE expressions with ESCAPE clauses, leading to full '
                'cluster compromise, data manipulation, or lateral movement in '
                'multi-tenant or shared deployments.',
 'impact': {'operational_impact': 'Full cluster compromise, data manipulation, '
                                  'lateral movement',
            'systems_affected': 'Apache Flink TaskManager nodes, distributed '
                                'data processing clusters'},
 'post_incident_analysis': {'corrective_actions': 'Patch management, input '
                                                  'validation, privilege '
                                                  'restriction, and enhanced '
                                                  'monitoring',
                            'root_causes': 'Improper sanitization of '
                                           'user-supplied input in Flink’s '
                                           'SQL-to-Java translation process'},
 'recommendations': 'Upgrade immediately to patched versions, restrict query '
                    'submission privileges, monitor for anomalous SQL '
                    'activity, and implement runtime security controls on '
                    'TaskManager nodes.',
 'references': [{'source': 'Apache Flink Security Advisory'}],
 'response': {'containment_measures': 'Upgrade to patched versions (1.20.4, '
                                      '2.0.2, 2.1.2, 2.2.1), restrict query '
                                      'submission privileges, monitor for '
                                      'anomalous SQL activity, implement '
                                      'runtime security controls on '
                                      'TaskManager nodes',
              'enhanced_monitoring': 'Monitor for anomalous SQL activity',
              'remediation_measures': 'Apache released patched versions '
                                      '(1.20.4, 2.0.2, 2.1.2, 2.2.1)'},
 'title': 'Critical RCE Vulnerability in Apache Flink Exposes Distributed Data '
          'Processing Clusters',
 'type': 'Remote Code Execution (RCE)',
 'vulnerability_exploited': 'CVE-2026-35194'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.