Code Injection Vulnerability in Apache Atlas by Apache
CVE-2026-40563

7.1HIGH

Key Information:

Vendor: Apache
Status: Apache Atlas
Vendor: CVE Published:; 4 May 2026

What is CVE-2026-40563?

Apache Atlas has a code injection vulnerability that stems from improper control over the generation of code via its DSL search endpoint. This endpoint mistakenly allows attackers to submit user-defined query strings, enabling them to manipulate Gremlin traversal logic. By utilizing allowed grammar characters, an attacker may gain access to unauthorized data, presenting a significant security risk. It is crucial for users of Apache Atlas, especially in versions ranging from 0.8 to 2.4.0 with specific configurations, to address this vulnerability by upgrading to version 2.5.0 to safeguard their data.

Affected Version(s)

Apache Atlas 0.8 <= 2.4.0

References

https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0pl...

vendor-advisory

CVSS V3.1

Score:

7.1

Severity:

HIGH

Confidentiality:

High

Integrity:

Low

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
May 4, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Khaled M. Alshammri

qx L

CVE-2026-40563 Data

JSON