oss-sec mailing list archives

CVE-2026-35194: Apache Flink: Remote code execution via SQL injection in code generation

From: Martijn Visser <martijnvisser () apache org>
Date: Fri, 15 May 2026 15:06:51 +0000

Severity: critical 

Affected versions:

- Apache Flink 1.15.0 before 1.20.4,2.0.2,2.1.2,2.2.1

Description:

Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated 
users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. 
The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). User-controlled 
strings are interpolated into generated Java code without proper escaping, allowing attackers to break out of string 
literals and inject arbitrary expressions.

Users are recommended to upgrade to either version 1.20.4, 2.0.2, 2.1.2 or 2.2.1, which fixes this issue.

Credit:

Yaswant Katakam, Confluent InfoSec (finder)

References:

https://flink.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-35194

Current thread:

CVE-2026-35194: Apache Flink: Remote code execution via SQL injection in code generation Martijn Visser (May 15)