Server-Side Request Forgery in Apache Flink Kubernetes Operator
CVE-2026-40564

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Flink Kubernetes Operator
Vendor: CVE Published:; 26 May 2026

Badges

👾 Exploit Exists🟡 Public PoC

What is CVE-2026-40564?

A Server-Side Request Forgery (SSRF) vulnerability exists in the Apache Flink Kubernetes Operator that allows users with create permissions to access sensitive files on the operator pod's filesystem. The flaw arises from the lack of validation of the FlinkSessionJob jarURI, enabling the potential for unauthorized file reads from user-owned locations and external addresses. Without proper restrictiveness on URI schemes or a safeguard against internal or link-local addresses, this vulnerability poses a significant risk. Users are strongly advised to upgrade to version 1.15.0 to mitigate this issue.

Affected Version(s)

Apache Flink Kubernetes Operator 1.3.0 < 1.15.0

Exploit Proof of Concept (PoC)

PoC code is written by security researchers to demonstrate the vulnerability can be exploited. PoC code is also a key component for weaponization which could lead to ransomware.

CVE-2026-40564
Created by oscerd

References

https://lists.apache.org/thread/jvxs2kh2o60sl7qkl5nss4r5p...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

🟡
Public PoC available
May 29, 2026
👾
Exploit known to exist
May 29, 2026
Vulnerability published
May 26, 2026
Vulnerability Reserved
Apr 14, 2026

Credit

Andrea Cosentino

CVE-2026-40564 Data

JSON