CVE-2026-41042
Received Received - Intake

Remote Code Execution in Apache Gravitino via H2 JDBC URL

Vulnerability report for CVE-2026-41042, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-08

Last updated on: 2026-07-08

Assigner: Apache Software Foundation

Description

Unauthenticated callers can supply a malicious H2 JDBC URL through the testConnection API, which executes arbitrary Java code on the server via H2's INIT parameter. Vulnerability in Apache Gravitino. This issue affects Apache Gravitino: before 1.2.1. Users are recommended to upgrade to version 1.2.1, which fixes the issue. This issue only happens when using H2, and H2 is mainly used for testing and local development. Also, Gravitino is typically deployed in the internal environment, so the severity is low.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-08
Last Modified
2026-07-08
Generated
2026-07-08
AI Q&A
2026-07-08
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache gravitino to 1.2.1 (exc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-20 The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability allows unauthenticated callers to provide a malicious H2 JDBC URL through the testConnection API in Apache Gravitino. By exploiting the H2 database's INIT parameter, an attacker can execute arbitrary Java code on the server.

The issue affects versions of Apache Gravitino before 1.2.1 and occurs only when using the H2 database, which is mainly used for testing and local development.

Impact Analysis

An attacker exploiting this vulnerability can execute arbitrary Java code on the server without authentication, potentially leading to unauthorized control or compromise of the server hosting Apache Gravitino.

However, since this vulnerability only occurs when using the H2 database (primarily for testing and local development) and Gravitino is typically deployed in internal environments, the overall severity is considered low.

Mitigation Strategies

To mitigate this vulnerability, users are recommended to upgrade Apache Gravitino to version 1.2.1, which contains the fix for this issue.

Since the vulnerability occurs only when using the H2 database, which is mainly for testing and local development, avoiding the use of H2 in production or internal environments can also reduce risk.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-41042. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart