CVE-2026-35194
Apache · Flink
Apache Flink is vulnerable to code injection during SQL code generation, which can be exploited by authenticated users to execute arbitrary code.
Executive summary
A critical code injection vulnerability in Apache Flink allows authenticated attackers to execute arbitrary code via the SQL interface.
Vulnerability
This is a code injection vulnerability (CWE-94) in the SQL code generation component of Apache Flink. It requires an attacker to have authenticated access to the system to trigger the injection through specially crafted SQL queries.
Business impact
Successful exploitation grants an attacker the ability to execute arbitrary code within the context of the Flink service, potentially leading to full system compromise, data theft, or lateral movement within the network. Given the CVSS score of 8.1, the impact is severe, particularly in environments where Flink processes sensitive data or has high-level system permissions.
Remediation
Immediate Action: Upgrade to Apache Flink versions 1.20.4, 2.0.2, 2.1.2, or 2.2.1 to resolve the code generation flaw.
Proactive Monitoring: Monitor SQL query logs for unusual syntax or patterns that may indicate attempts to inject code into the generation process.
Compensating Controls: Restrict access to the Flink SQL interface to trusted users only and implement strict network segmentation to limit the reach of a potential compromise.
Exploitation status
Public Exploit Available: No (exploit_available: false)
Analyst recommendation
Given the potential for remote code execution, organizations using Apache Flink must apply the provided security updates as a matter of urgency. Ensure that internal access controls are strictly enforced to minimize the risk of exploitation by unauthorized or compromised users.