Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <4028a4ad-aa61-dc7e-ca73-f90d94e57d50@apache.org>
Date: Fri, 15 May 2026 15:06:51 +0000
From: Martijn Visser <martijnvisser@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-35194: Apache Flink: Remote code execution via SQL
 injection in code generation 

Severity: critical 

Affected versions:

- Apache Flink 1.15.0 before 1.20.4,2.0.2,2.1.2,2.2.1

Description:

Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). User-controlled strings are interpolated into generated Java code without proper escaping, allowing attackers to break out of string literals and inject arbitrary expressions.

Users are recommended to upgrade to either version 1.20.4, 2.0.2, 2.1.2 or 2.2.1, which fixes this issue.

Credit:

Yaswant Katakam, Confluent InfoSec (finder)

References:

https://flink.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-35194

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.