PT-2026-41310 · Apache · Apache Flink

CVE-2026-35194

·

Published

2026-05-15

·

Updated

2026-05-20

CVSS v3.1

8.1

High

VectorAV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
Name of the Vulnerable Software and Affected Versions Apache Flink versions 1.15.0 through 1.20.x Apache Flink versions 2.0.0 through 2.x
Description Code injection in SQL code generation allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers using maliciously crafted SQL queries. The issue occurs because user-controlled strings are interpolated into generated Java code without proper escaping, enabling attackers to break out of string literals and inject arbitrary expressions. This affects JSON functions and LIKE expressions with ESCAPE clauses.
Recommendations Upgrade versions 1.15.0 through 1.20.x to 1.20.4. Upgrade versions 2.0.0 through 2.x to 2.0.2, 2.1.2, or 2.2.1.

Exploit

Fix

RCE

Code Injection

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BIT-FLINK-2026-35194
CVE-2026-35194
GHSA-2F54-V4HM-FX73

Affected Products

Apache Flink