CVE-2026-40563

Name of the Vulnerable Software and Affected Versions Apache Atlas versions 0.8 through 2.4.0

Description An improper control of code generation issue exists in the DSL search endpoint, which accepts user-supplied query strings. An attacker can alter Gremlin traversal logic using grammar-allowed characters to access unintended data. For versions 2.0 and later, this issue only occurs when the software is deployed with the non-default configuration atlas.dsl.executor.traversal=false.

Recommendations Upgrade to version 2.5.0.