PT-2026-43265 · Apache · Apache Flink Kubernetes Operator
Andrea Cosentino
·
Published
2026-05-26
·
Updated
2026-06-01
·
CVE-2026-40564
CVSS v2.0
6.8
Medium
| Vector | AV:N/AC:L/Au:S/C:C/I:N/A:N |
Name of the Vulnerable Software and Affected Versions
Apache Flink Kubernetes Operator versions 1.3.0 through 1.14.x
Description
A Server-Side Request Forgery (SSRF) and local file access issue exists where the
jarURI in FlinkSessionJob is not validated. This allows a user with CR create permissions to read files from the operator pod's filesystem and retrieve content from any backing store reachable via Flink's pluggable filesystem layer. For http/https addresses, there is no URI scheme allowlist, host check, IP-range restriction, or protection against internal or link-local addresses.Recommendations
Upgrade to version 1.15.0.
Exploit
Fix
Files Accessible to External Parties
SSRF
Found an issue in the description? Have something to add? Feel free to write us 👾
Related Identifiers
Affected Products
Apache Flink Kubernetes Operator