HomeCyber Security News
Critical Apache Flink Vulnerability Enables Remote code execution Attacks
By Abinaya
May 19, 2026
A newly disclosed critical vulnerability in Apache Flink, tracked as CVE-2026-35194, exposes distributed data processing environments to remote code execution (RCE) attacks via SQL injection flaws in the platform’s code generation engine.
The flaw lies in Apache Flink’s SQL code-generation mechanism, where user-supplied input is improperly sanitized before being embedded in dynamically generated Java code.
This allows authenticated users with query submission privileges to inject malicious payloads that escape intended string boundaries and execute arbitrary code.
Specifically, the vulnerability affects:
JSON functions were introduced in Flink version 1.15.0.
LIKE expressions with ESCAPE clauses were introduced in version 1.17.0.
By exploiting these components, attackers can craft SQL queries that manipulate the code generation process, ultimately achieving arbitrary code execution on TaskManager nodes within a Flink cluster.
According to the advisory, the following versions are vulnerable:
Apache Flink 1.15.0 through 1.20.x (before 1.20.4).
Apache Flink 2.0.0 through 2.x (before 2.0.2, 2.1.2, and 2.2.1).
Apache contributor Martijn Visser publicly disclosed the issue on May 15, 2026, and rated it critical due to its impact on production clusters.
Apache Flink Vulnerability
The root cause lies in unsafe string interpolation during SQL-to-Java code translation.
User-controlled input is directly inserted into generated code without proper escaping or validation. This allows attackers to:
Break out of string literals in generated Java code.
Inject arbitrary Java expressions or method calls.
Execute malicious code across distributed TaskManager nodes.
Given Flink’s architecture, successful exploitation can lead to full cluster compromise, data manipulation, or lateral movement within the environment.
The vulnerability is particularly dangerous in multi-tenant or shared environments where users have query execution permissions.
Even without administrative privileges, an attacker can escalate their capabilities and gain control over backend processing nodes.
Apache has released patched versions to address the issue and urges users to upgrade immediately to versions 1.20.4, 2.0.2, 2.1.2, or 2.2.1.
Additional mitigation steps include:
Restricting query submission privileges to trusted users.
Monitoring SQL query activity for anomalous patterns.
Implementing runtime security controls on TaskManager nodes.
Organizations using Apache Flink in production environments should prioritize patching, as exploitation could result in severe operational and data security risks.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates.
Tags
cyber security
cyber security news
Copy URL
Linkedin
Twitter
ReddIt
Telegram
Abinayahttps://cybersecuritynews.com/
Abi is a Security Editor and fellow reporter with Cyber Security News. She is covering various cyber security incidents happening in the Cyber Space.
Trending News
CISA Warns of critical Magento Cache Warmer RCE flaw Exploited in Attacks
Payouts King Ransomware Evades EDR With Obfuscation and Direct System Calls
Hackers Can Hijack Claude Code MCP Traffic to Steal OAuth Tokens
Fake Claude Code Installer Via Google Sites Delivers Credential-Stealing Malware
Instagram Fixes Password Reset Flaw That Exposes User Emails and Phone Numbers
Latest News
Cyber Security
SPF, DKIM, DMARC Passed. Malicious Link Passes Every Authentication Check, But CyberCheck360 Caught It
Cyber Security
Google Chrome 0-Day Vulnerability Exploited in the Wild — Update Now
Cyber Security News
New Weedhack Malware-as-a-Service Targets Minecraft Players to Steal Credentials, and Hijack Accounts
Cyber Security News
New NFCShare Android Malware Delivered via Weaponized Versions of Egitimate Banking Apps
Cyber Security
Microsoft Defender Now Monitors RPC Protocol Abuse by Hackers