CVE-2026-40564 (GCVE-0-2026-40564)

Vulnerability from cvelistv5 – Published: 2026-05-26 14:38 – Updated: 2026-05-26 16:18
VLAI
Title
Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator
Summary
Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.  This lets a user with CR create permissions read files from the operator pod's filesystem and pull content from any backing store reachable through Flink's pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0. Users are recommended to upgrade to version 1.15.0, which fixes the issue.
Severity
No CVSS data available.
CWE
  • CWE-552 - Files or Directories Accessible to External Parties
  • CWE-918 - Server-Side Request Forgery (SSRF)
Assigner
References
Impacted products
Credits
Andrea Cosentino Andrea Cosentino
Show details on NVD website
To clipboard 

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-05-26T16:18:03.659Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/05/26/6"
          }
        ],
        "title": "CVE Program Container"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Flink Kubernetes Operator",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThan": "1.15.0",
              "status": "affected",
              "version": "1.3.0",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "Andrea Cosentino"
        },
        {
          "lang": "en",
          "type": "remediation developer",
          "value": "Andrea Cosentino"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "\u003cp\u003eFiles or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.\u003c/p\u003eThe FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003e\u0026nbsp;This lets a user with CR create permissions read files from the operator pod\u0027s filesystem and pull content from any backing store reachable through Flink\u0027s pluggable filesystem layer \u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003eand access them through the submitted Flink job\u003c/span\u003e. Furthermore for fetching from http/https addresses\u0026nbsp;\u003cspan style=\"background-color: rgb(255, 255, 255);\"\u003ethere is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.\u003c/span\u003e\u003c/span\u003e\u003cdiv\u003e\u003cp\u003eThis issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.\u003c/p\u003e\u003cp\u003eUsers are recommended to upgrade to version 1.15.0, which fixes the issue.\u003c/p\u003e\u003c/div\u003e"
            }
          ],
          "value": "Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.\n\nThe FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.\u00a0\u00a0This lets a user with CR create permissions read files from the operator pod\u0027s filesystem and pull content from any backing store reachable through Flink\u0027s pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses\u00a0there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.\n\nUsers are recommended to upgrade to version 1.15.0, which fixes the issue."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-552",
              "description": "CWE-552 Files or Directories Accessible to External Parties",
              "lang": "en",
              "type": "CWE"
            }
          ]
        },
        {
          "descriptions": [
            {
              "cweId": "CWE-918",
              "description": "CWE-918 Server-Side Request Forgery (SSRF)",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-05-26T14:38:21.937Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/jvxs2kh2o60sl7qkl5nss4r5phzfl4cz"
        }
      ],
      "source": {
        "discovery": "EXTERNAL"
      },
      "title": "Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-40564",
    "datePublished": "2026-05-26T14:38:21.937Z",
    "dateReserved": "2026-04-14T12:59:12.603Z",
    "dateUpdated": "2026-05-26T16:18:03.659Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "epss": {
      "cve": "CVE-2026-40564",
      "date": "2026-05-27",
      "epss": "0.00014",
      "percentile": "0.02773"
    },
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-40564\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-05-26T16:16:24.590\",\"lastModified\":\"2026-05-26T19:05:09.927\",\"vulnStatus\":\"Awaiting Analysis\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.\\n\\nThe FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.\u00a0\u00a0This lets a user with CR create permissions read files from the operator pod\u0027s filesystem and pull content from any backing store reachable through Flink\u0027s pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses\u00a0there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.\\n\\nUsers are recommended to upgrade to version 1.15.0, which fixes the issue.\"}],\"metrics\":{},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-552\"},{\"lang\":\"en\",\"value\":\"CWE-918\"}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/jvxs2kh2o60sl7qkl5nss4r5phzfl4cz\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/05/26/6\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}"
  }
}


Log in or create an account to share your comment.




Tags
Taxonomy of the tags.




Forecast uses a logistic model when the trend is rising, or an exponential decay model when the trend is falling. Fitted via linearized least squares.

Sightings

Author Source Type Date Other

Nomenclature

  • Seen: The vulnerability was mentioned, discussed, or observed by the user.
  • Confirmed: The vulnerability has been validated from an analyst's perspective.
  • Published Proof of Concept: A public proof of concept is available for this vulnerability.
  • Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
  • Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
  • Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
  • Not confirmed: The user expressed doubt about the validity of the vulnerability.
  • Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.



Detection rules are retrieved from Rulezet.