CVE-2026-41042
Apache Software Foundation · Apache Gravitino
An unauthenticated remote code execution vulnerability in Apache Gravitino allows attackers to execute arbitrary Java code via malicious H2 JDBC URLs.
Executive summary
An unauthenticated remote code execution vulnerability in Apache Gravitino allows attackers to execute arbitrary code on affected servers using malicious JDBC parameters.
Vulnerability
This is an improper input validation (CWE-20) vulnerability that allows unauthenticated callers to supply malicious H2 JDBC URLs during testConnection API calls, triggering arbitrary Java code execution.
Business impact
Despite the vendor noting that this is primarily an issue in test/local environments, the CVSS score of 9.1 indicates a critical risk. If the software is exposed to a network, an attacker could gain full control over the server hosting the Gravitino instance, leading to total system compromise and potential lateral movement into internal networks.
Remediation
Immediate Action: Upgrade to Apache Gravitino version 1.2.1 or later to remediate the input validation flaw.
Proactive Monitoring: Audit network access to ensure that the Gravitino test API is not exposed to untrusted networks or the public internet.
Compensating Controls: Ensure the application is deployed within a hardened, isolated environment with restricted network access, preventing unauthorized callers from interacting with the testConnection API.
Exploitation status
Public Exploit Available: False
Analyst recommendation
Organizations must upgrade to version 1.2.1 immediately to close this remote code execution vector. While the vendor suggests the risk is mitigated in local development environments, any Gravitino instance reachable over a network should be considered at high risk until the update is applied.