{"id":"GHSA-2f54-v4hm-fx73","summary":"Apache Flink: Remote code execution via SQL injection in code generation","details":"Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). User-controlled strings are interpolated into generated Java code without proper escaping, allowing attackers to break out of string literals and inject arbitrary expressions.\n\nUsers are recommended to upgrade to either version 1.20.4, 2.0.2, 2.1.2 or 2.2.1, which fixes this issue.","aliases":["BIT-flink-2026-35194","CVE-2026-35194"],"modified":"2026-05-22T16:11:02.271533008Z","published":"2026-05-15T18:30:34Z","database_specific":{"github_reviewed_at":"2026-05-22T15:49:47Z","severity":"HIGH","github_reviewed":true,"cwe_ids":["CWE-94"],"nvd_published_at":"2026-05-15T16:16:14Z"},"references":[{"type":"ADVISORY","url":"https://nvd.nist.gov/vuln/detail/CVE-2026-35194"},{"type":"WEB","url":"https://github.com/apache/flink/commit/64007b131d689158af90ca1c1b71b018129a85c5"},{"type":"WEB","url":"https://github.com/apache/flink/commit/8db22cf8fbc4c785f6ffd41c2fd3e8b64a9688cd"},{"type":"PACKAGE","url":"https://github.com/apache/flink"},{"type":"WEB","url":"https://lists.apache.org/thread/qh52bw4hhvy7n2owd8b3bt51mz0lvj9x"},{"type":"WEB","url":"http://www.openwall.com/lists/oss-security/2026/05/15/20"}],"affected":[{"package":{"name":"org.apache.flink:flink-table-planner_2.12","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-planner_2.12"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.15.0"},{"fixed":"1.20.4"}]}],"versions":["1.15.0","1.15.1","1.15.2","1.15.3","1.15.4","1.16.0","1.16.1","1.16.2","1.16.3","1.17.0","1.17.1","1.17.2","1.18.0","1.18.1","1.19.0","1.19.1","1.19.2","1.19.3","1.20.0","1.20.1","1.20.2","1.20.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}},{"package":{"name":"org.apache.flink:flink-table-planner_2.12","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-planner_2.12"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.0"},{"fixed":"2.0.2"}]}],"versions":["2.0-preview1","2.0.0","2.0.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}},{"package":{"name":"org.apache.flink:flink-table-planner_2.12","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-planner_2.12"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.1.0"},{"fixed":"2.1.2"}]}],"versions":["2.1.0","2.1.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}},{"package":{"name":"org.apache.flink:flink-table-planner_2.12","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-planner_2.12"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.2.0"},{"fixed":"2.2.1"}]}],"versions":["2.2.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}},{"package":{"name":"org.apache.flink:flink-table-api-java","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-api-java"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.15.0"},{"fixed":"1.20.4"}]}],"versions":["1.15.0","1.15.1","1.15.2","1.15.3","1.15.4","1.16.0","1.16.1","1.16.2","1.16.3","1.17.0","1.17.1","1.17.2","1.18.0","1.18.1","1.19.0","1.19.1","1.19.2","1.19.3","1.20.0","1.20.1","1.20.2","1.20.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}},{"package":{"name":"org.apache.flink:flink-table-api-java","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-api-java"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.0"},{"fixed":"2.0.2"}]}],"versions":["2.0-preview1","2.0.0","2.0.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}},{"package":{"name":"org.apache.flink:flink-table-api-java","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-api-java"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.1.0"},{"fixed":"2.1.2"}]}],"versions":["2.1.0","2.1.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}},{"package":{"name":"org.apache.flink:flink-table-api-java","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-api-java"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.2.0"},{"fixed":"2.2.1"}]}],"versions":["2.2.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}},{"package":{"name":"org.apache.flink:flink-table-runtime","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-runtime"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"1.15.0"},{"fixed":"1.20.4"}]}],"versions":["1.15.0","1.15.1","1.15.2","1.15.3","1.15.4","1.16.0","1.16.1","1.16.2","1.16.3","1.17.0","1.17.1","1.17.2","1.18.0","1.18.1","1.19.0","1.19.1","1.19.2","1.19.3","1.20.0","1.20.1","1.20.2","1.20.3"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}},{"package":{"name":"org.apache.flink:flink-table-runtime","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-runtime"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.0.0"},{"fixed":"2.0.2"}]}],"versions":["2.0-preview1","2.0.0","2.0.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}},{"package":{"name":"org.apache.flink:flink-table-runtime","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-runtime"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.1.0"},{"fixed":"2.1.2"}]}],"versions":["2.1.0","2.1.1"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}},{"package":{"name":"org.apache.flink:flink-table-runtime","ecosystem":"Maven","purl":"pkg:maven/org.apache.flink/flink-table-runtime"},"ranges":[{"type":"ECOSYSTEM","events":[{"introduced":"2.2.0"},{"fixed":"2.2.1"}]}],"versions":["2.2.0"],"database_specific":{"source":"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/05/GHSA-2f54-v4hm-fx73/GHSA-2f54-v4hm-fx73.json"}}],"schema_version":"1.7.5","severity":[{"type":"CVSS_V3","score":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N"}]}