CVE-2026-41042

Apache Software Foundation · Apache Gravitino

An unauthenticated remote code execution vulnerability in Apache Gravitino allows attackers to execute arbitrary Java code via malicious H2 JDBC URLs.

Executive summary

An unauthenticated remote code execution vulnerability in Apache Gravitino allows attackers to execute arbitrary code on affected servers using malicious JDBC parameters.

Vulnerability

This is an improper input validation (CWE-20) vulnerability that allows unauthenticated callers to supply malicious H2 JDBC URLs during testConnection API calls, triggering arbitrary Java code execution.

Business impact

Despite the vendor noting that this is primarily an issue in test/local environments, the CVSS score of 9.1 indicates a critical risk. If the software is exposed to a network, an attacker could gain full control over the server hosting the Gravitino instance, leading to total system compromise and potential lateral movement into internal networks.

Remediation

Immediate Action: Upgrade to Apache Gravitino version 1.2.1 or later to remediate the input validation flaw.

Proactive Monitoring: Audit network access to ensure that the Gravitino test API is not exposed to untrusted networks or the public internet.

Compensating Controls: Ensure the application is deployed within a hardened, isolated environment with restricted network access, preventing unauthorized callers from interacting with the testConnection API.

Exploitation status

Public Exploit Available: False

Analyst recommendation

Organizations must upgrade to version 1.2.1 immediately to close this remote code execution vector. While the vendor suggests the risk is mitigated in local development environments, any Gravitino instance reachable over a network should be considered at high risk until the update is applied.