CVE-2026-35194

HIGH

Apache Flink: Remote code execution via SQL injection in code generation

Title source: cna

Description

Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). User-controlled strings are interpolated into generated Java code without proper escaping, allowing attackers to break out of string literals and inject arbitrary expressions. Users are recommended to upgrade to either version 1.20.4, 2.0.2, 2.1.2 or 2.2.1, which fixes this issue.

References (2)

Core 2

Core References

Vendor Advisory vendor-advisory

https://lists.apache.org/thread/qh52bw4hhvy7n2owd8b3bt51mz0lvj9x

Mailing List

http://www.openwall.com/lists/oss-security/2026/05/15/20

Scores

CVSS v3 8.1

EPSS 0.0005

EPSS Percentile 16.3%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact total

Details

CWE

CWE-94

Status published

Products (15)

apache/flink 2.2.0 (3 CPE variants)

apache/flink 1.15.0 - 1.20.4

Apache Software Foundation/Apache Flink 1.15.0 - 1.20.4,2.0.2,2.1.2,2.2.1

org.apache.flink/flink-table-api-java 1.15.0 - 1.20.4Maven

org.apache.flink/flink-table-api-java 2.0.0 - 2.0.2Maven

org.apache.flink/flink-table-api-java 2.1.0 - 2.1.2Maven

org.apache.flink/flink-table-api-java 2.2.0 - 2.2.1Maven

org.apache.flink/flink-table-planner_2.12 1.15.0 - 1.20.4Maven

org.apache.flink/flink-table-planner_2.12 2.0.0 - 2.0.2Maven

org.apache.flink/flink-table-planner_2.12 2.1.0 - 2.1.2Maven

... and 5 more

Published May 15, 2026

Tracked Since May 15, 2026