PT-2026-43265 · Apache · Apache Flink Kubernetes Operator

Andrea Cosentino

·

Published

2026-05-26

·

Updated

2026-06-01

·

CVE-2026-40564

CVSS v2.0

6.8

Medium

VectorAV:N/AC:L/Au:S/C:C/I:N/A:N
Name of the Vulnerable Software and Affected Versions Apache Flink Kubernetes Operator versions 1.3.0 through 1.14.x
Description A Server-Side Request Forgery (SSRF) and local file access issue exists where the jarURI in FlinkSessionJob is not validated. This allows a user with CR create permissions to read files from the operator pod's filesystem and retrieve content from any backing store reachable via Flink's pluggable filesystem layer. For http/https addresses, there is no URI scheme allowlist, host check, IP-range restriction, or protection against internal or link-local addresses.
Recommendations Upgrade to version 1.15.0.

Exploit

Fix

Files Accessible to External Parties

SSRF

Found an issue in the description? Have something to add? Feel free to write us 👾

Weakness Enumeration

Related Identifiers

BDU:2026-07535
CVE-2026-40564

Affected Products

Apache Flink Kubernetes Operator