Apache Flink
Don't miss out!
Thousands of developers use stack.watch to stay informed.Get an email whenever new security vulnerabilities are reported in Apache Flink.
Known Exploited Apache Flink Vulnerabilities
The following Apache Flink vulnerabilities have been marked by CISA as Known to be Exploited by threat actors.
| Title | Description | Added |
|---|---|---|
| Apache Flink Improper Access Control Vulnerability |
Apache Flink contains an improper access control vulnerability that allows an attacker to read any file on the local filesystem of the JobManager through its REST interface. CVE-2020-17519 Exploit Probability: 94.4% |
May 23, 2024 |
The vulnerability CVE-2020-17519: Apache Flink Improper Access Control Vulnerability is in the top 1% of the currently known exploitable vulnerabilities.
By the Year
In 2026 there have been 0 vulnerabilities in Apache Flink. Last year, in 2025 Flink had 1 security vulnerability published. Right now, Flink is on track to have less security vulnerabilities in 2026 than it did last year.
| Year | Vulnerabilities | Average Score |
|---|---|---|
| 2026 | 0 | 0.00 |
| 2025 | 1 | 0.00 |
| 2024 | 0 | 0.00 |
| 2023 | 0 | 0.00 |
| 2022 | 0 | 0.00 |
| 2021 | 1 | 9.10 |
It may take a day or so for new Flink vulnerabilities to show up in the stats or in the list of recent security vulnerabilities. Additionally vulnerabilities may be tagged under a different product or component name.
Recent Apache Flink Security Vulnerabilities
SQLi via crafted identifiers in Apache FlinkCDC 3.4.0
CVE-2025-62228
- October 09, 2025
Apache Flink CDC version 3.4.0 was vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or crafted table name. Even through only the logged-in database user can trigger the attack, we recommend users update Flink CDC version to 3.5.0 which address this issue.
SQL Injection
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well)
CVE-2020-17519
9.1 - Critical
- January 05, 2021
A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the JobManager process. Access is restricted to files accessible by the JobManager process. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit b561010b0ee741543c3953306037f00d7a9f0801 from apache/flink:master.
Files or Directories Accessible to External Parties
Stay on top of Security Vulnerabilities
Want an email whenever new vulnerabilities are published for Apache Flink or by Apache? Click the Watch button to subscribe.
