SQL Code Injection Vulnerability in Apache Flink
CVE-2026-35194

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Flink
Vendor: CVE Published:; 15 May 2026

What is CVE-2026-35194?

A code injection vulnerability has been identified in Apache Flink that affects versions 1.15.0 through 1.20.x and 2.0.0 through 2.x. Authenticated users with query submission privileges can exploit this flaw by submitting maliciously crafted SQL queries. The vulnerability specifically impacts JSON functions and LIKE expressions with ESCAPE clauses, allowing user-controlled strings to be interpolated into generated Java code without appropriate escaping. This can lead attackers to break out of string literals and inject arbitrary expressions into TaskManagers. Users should upgrade to version 1.20.4, 2.0.2, 2.1.2, or 2.2.1 to mitigate this risk.

Affected Version(s)

Apache Flink 1.15.0 < 1.20.4,2.0.2,2.1.2,2.2.1

References

https://lists.apache.org/thread/qh52bw4hhvy7n2owd8b3bt51m...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 15, 2026
Vulnerability Reserved
Apr 1, 2026

Credit

Yaswant Katakam, Confluent InfoSec

CVE-2026-35194 Data

JSON