CVE-2026-40564
Modified Modified - Updated After Analysis
SSRF and File Access in Apache Flink Kubernetes Operator

Publication date: 2026-05-26

Last updated on: 2026-06-02

Assigner: Apache Software Foundation

Description
Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses.Β Β This lets a user with CR create permissions read files from the operator pod's filesystem and pull content from any backing store reachable through Flink's pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addressesΒ there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0. Users are recommended to upgrade to version 1.15.0, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-05-26
Last Modified
2026-06-02
Generated
2026-06-16
AI Q&A
2026-05-26
EPSS Evaluated
2026-06-14
NVD
CVE-2026-40564
EUVD
EUVD-2026-31846
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache flink_kubernetes_operator From 1.3.0 (inc) to 1.15.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-918 The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination.
CWE-552 The product makes files or directories accessible to unauthorized actors, even though they should not be.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability exists in the Apache Flink Kubernetes Operator where the FlinkSessionJob jarURI is not properly validated. This allows a user with create permissions to read files from the operator pod's filesystem and access content from any backing store reachable through Flink's pluggable filesystem layer by submitting a Flink job.

Additionally, when fetching from http/https addresses, there is no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses, which can lead to Server-Side Request Forgery (SSRF).

Impact Analysis

This vulnerability can allow an attacker with create permissions to read sensitive files from the operator pod's filesystem and access data from internal or external backing stores through Flink jobs.

It also enables Server-Side Request Forgery (SSRF), allowing attackers to make requests to internal or link-local network addresses that are normally inaccessible, potentially exposing internal services or data.

Mitigation Strategies

Users are recommended to upgrade to Apache Flink Kubernetes Operator version 1.15.0, which fixes the vulnerability.

Compliance Impact

The CVE-2026-40564 vulnerability allows unauthorized access to files on the operator pod's filesystem and internal or link-local network resources via Server-Side Request Forgery (SSRF). This unauthorized access could lead to exposure of sensitive or confidential data.

Such exposure of sensitive data may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.

Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to potential data breaches or unauthorized data disclosure.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-40564. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart