CVE-2026-40564
SSRF and File Access in Apache Flink Kubernetes Operator
Publication date: 2026-05-26
Last updated on: 2026-05-26
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | flink_kubernetes_operator | From 1.3.0 (inc) to 1.15.0 (exc) |
| apache | flink_kubernetes_operator | 1.15.0 |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-552 | The product makes files or directories accessible to unauthorized actors, even though they should not be. |
| CWE-918 | The web server receives a URL or similar request from an upstream component and retrieves the contents of this URL, but it does not sufficiently ensure that the request is being sent to the expected destination. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The CVE-2026-40564 vulnerability allows unauthorized access to files on the operator pod's filesystem and internal or link-local network resources via Server-Side Request Forgery (SSRF). This unauthorized access could lead to exposure of sensitive or confidential data.
Such exposure of sensitive data may impact compliance with common standards and regulations like GDPR and HIPAA, which require protection of personal and sensitive information from unauthorized access.
Therefore, if exploited, this vulnerability could result in non-compliance with these regulations due to potential data breaches or unauthorized data disclosure.
Can you explain this vulnerability to me?
This vulnerability exists in the Apache Flink Kubernetes Operator where the FlinkSessionJob jarURI is not properly validated. This allows a user with create permissions to read files from the operator pod's filesystem and access content from any backing store reachable through Flink's pluggable filesystem layer by submitting a Flink job.
Additionally, when fetching from http/https addresses, there is no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses, which can lead to Server-Side Request Forgery (SSRF).
How can this vulnerability impact me? :
This vulnerability can allow an attacker with create permissions to read sensitive files from the operator pod's filesystem and access data from internal or external backing stores through Flink jobs.
It also enables Server-Side Request Forgery (SSRF), allowing attackers to make requests to internal or link-local network addresses that are normally inaccessible, potentially exposing internal services or data.
What immediate steps should I take to mitigate this vulnerability?
Users are recommended to upgrade to Apache Flink Kubernetes Operator version 1.15.0, which fixes the vulnerability.