CVE-2026-35194HIGH 8.1EPSS p29.7%

CVE-2026-35194CVE-2026-35194

Description

Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). User-controlled strings are interpolated into generated Java code without proper escaping, allowing attackers to break out of string literals and inject arbitrary expressions. Users are recommended to upgrade to either version 1.20.4, 2.0.2, 2.1.2 or 2.2.1, which fixes this issue.

Scoring

CVSS 3.18.1 (HIGH)
VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N
EPSS0.38% probability of exploitation · percentile 29.7% · 2026-06-18T12:00:27Z
Published2026-05-15
Last modified2026-05-18

Underlying weaknesses· 1

CWE-94

References

  1. https://lists.apache.org/thread/qh52bw4hhvy7n2owd8b3bt51mz0lvj9x
  2. http://www.openwall.com/lists/oss-security/2026/05/15/20

1

TypeTargetConfidenceTier
WeaknessImproper Control of Generation of Code ('Code Injection')cwe-940%live

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2025-62228
CVE
CVE-2026-40564
CVE
Apache Flink Improper Access Control Vulnerability
CVE
CVE-2026-40563
CVE
CVE-2026-46586
CVE
CVE-2026-39815
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.