Critical Apache Flink Vulnerability Enables Remote code execution

A critical vulnerability, tracked as CVE-2026-35194, has been newly disclosed in Apache Flink, exposing distributed data processing environments to remote code execution (RCE) attacks. This flaw stems from SQL injection vulnerabilities within the platform’s code generation engine.

The flaw lies in Apache Flink’s SQL code-generation mechanism, where user-supplied input is improperly sanitized before being embedded in dynamically generated Java code.

This allows authenticated users with query submission privileges to inject malicious payloads that escape intended string boundaries and execute arbitrary code.

Specifically, the vulnerability affects:

• JSON functions were introduced in Flink version 1.15.0.
• LIKE expressions with ESCAPE clauses were introduced in version 1.17.0.

By exploiting these components, attackers can craft SQL queries that manipulate the code generation process, ultimately achieving arbitrary code execution on TaskManager nodes within a Flink cluster.

According to the advisory, the following versions are vulnerable:

• Apache Flink 1.15.0 through 1.20.x (before 1.20.4).
• Apache Flink 2.0.0 through 2.x (before 2.0.2, 2.1.2, and 2.2.1).

Apache contributor Martijn Visser publicly disclosed the issue on May 15, 2026, and rated it critical due to its impact on production clusters.

Apache Flink Vulnerability

The root cause lies in unsafe string interpolation during SQL-to-Java code translation.

User-controlled input is directly inserted into generated code without proper escaping or validation. This allows attackers to:

• Break out of string literals in generated Java code.
• Inject arbitrary Java expressions or method calls.
• Execute malicious code across distributed TaskManager nodes.

Given Flink’s architecture, successful exploitation can lead to full cluster compromise, data manipulation, or lateral movement within the environment.

The vulnerability is particularly dangerous in multi-tenant or shared environments where users have query execution permissions.

Even without administrative privileges, an attacker can escalate their capabilities and gain control over backend processing nodes.

Apache has released patched versions to address the issue and urges users to upgrade immediately to versions 1.20.4, 2.0.2, 2.1.2, or 2.2.1.

Additional mitigation steps include:

• Restricting query submission privileges to trusted users.
• Monitoring SQL query activity for anomalous patterns.
• Implementing runtime security controls on TaskManager nodes.

Organizations using Apache Flink in production environments should prioritize patching, as exploitation could result in severe operational and data security risks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.