CVE-2026-3052

Name of the Vulnerable Software and Affected Versions DataLinkDC dinky versions up to 1.2.5

Description A server-side request forgery condition exists in DataLinkDC dinky. The issue is located in the proxyUba function within the dinky-admin/src/main/java/org/dinky/controller/FlinkProxyController.java file of the Flink Proxy Controller component. Manipulation of a request can lead to server-side request forgery. This issue is remotely exploitable, and details about the exploit have been publicly released. The vendor was notified but did not respond.

Recommendations Versions prior to 1.2.5 are affected. As a temporary workaround, consider disabling the proxyUba() function until a patch is available. Restrict access to the Flink Proxy Controller module to minimize the risk of exploitation.