A critical security flaw in Apache Flink, identified as CVE-2026-35194, presents a significant risk of remote code execution (RCE) attacks. The vulnerability emerges from SQL injection issues within the platform’s code generation engine, potentially affecting distributed data processing environments.
Vulnerability Details
The core issue resides in the SQL code-generation process of Apache Flink, where user inputs are inadequately sanitized before being incorporated into dynamically created Java code. This oversight allows users with query submission rights to insert harmful payloads, which can bypass intended string limits and execute arbitrary commands.
This vulnerability is particularly associated with JSON functions introduced in version 1.15.0 and LIKE expressions with ESCAPE clauses from version 1.17.0. Attackers can exploit these features to manipulate the code generation mechanism, leading to arbitrary code execution on the TaskManager nodes within a Flink cluster.
Affected Versions and Disclosure
The affected versions include Apache Flink 1.15.0 through 1.20.x (up to but not including 1.20.4) and Apache Flink 2.0.0 through 2.x versions (prior to 2.0.2, 2.1.2, and 2.2.1). Apache contributor Martijn Visser publicly disclosed the issue on May 15, 2026, highlighting its critical nature due to the potential impact on production clusters.
The vulnerability stems from insecure string interpolation during the SQL-to-Java translation process, where user-controlled inputs are embedded into the generated code without adequate escaping or validation.
Security Implications and Mitigation
Exploitation of this vulnerability can lead to severe ramifications, including full cluster compromise, data manipulation, and lateral movement within the network. It poses a heightened threat in multi-tenant or shared environments where users have permission to execute queries.
To address the issue, Apache has released patches, urging users to upgrade to versions 1.20.4, 2.0.2, 2.1.2, or 2.2.1. Additional mitigation strategies include restricting query submission privileges to trusted users, monitoring SQL query activities for unusual patterns, and implementing runtime security controls on TaskManager nodes.
Organizations leveraging Apache Flink in their production environments should prioritize these updates and mitigation measures to protect against severe operational and data security risks.
