Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <cfbee3d0-f45a-af65-f157-59f465ea7aad@apache.org>
Date: Sun, 03 May 2026 11:59:12 +0000
From: Pinal Shah <pinal@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-40563: Apache Atlas: Script injection allows access to
 unintended data 

Severity: important 

Affected versions:

- Apache Atlas (org.apache.atlas:atlas-repository) 0.8 through 2.4.0

Description:

Description:
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas
Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data




Affect Version:
This issue affects Apache Atlas: from 0.8 through 2.4.0.



For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration.


atlas.dsl.executor.traversal=false



Mitigation:
Users are recommended to upgrade to version 2.5.0, which fixes the issue.

Credit:

Khaled M. Alshammri (finder)
qx L (finder)

References:

https://atlas.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-40563

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.