Apache Flink SQLi 1.15-1.20.x,2.x prior 1.20.4/2.0.2
CVE-2026-35194 Published on May 15, 2026
Apache Flink: Remote code execution via SQL injection in code generation
Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). User-controlled strings are interpolated into generated Java code without proper escaping, allowing attackers to break out of string literals and inject arbitrary expressions.
Users are recommended to upgrade to either version 1.20.4, 2.0.2, 2.1.2 or 2.2.1, which fixes this issue.
Vulnerability Analysis
CVE-2026-35194 is exploitable with network access, and requires small amount of user privileges. This vulnerability is considered to have a low attack complexity. The potential impact of an exploit of this vulnerability is considered to have a high impact on confidentiality and integrity, and no impact on availability.
Weakness Type
What is a Code Injection Vulnerability?
The software constructs all or part of a code segment using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the syntax or behavior of the intended code segment.
CVE-2026-35194 has been classified to as a Code Injection vulnerability or weakness.
Products Associated with CVE-2026-35194
Want to know whenever a new CVE is published for Apache Flink? stack.watch will email you.
Affected Versions
Apache Software Foundation Apache Flink:- Version 1.15.0 and below 1.20.4,2.0.2,2.1.2,2.2.1 is affected.