Code Execution Vulnerability in Apache Gravitino Affecting H2 JDBC URLs
CVE-2026-41042

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
8 July 2026

What is CVE-2026-41042?

A vulnerability in Apache Gravitino allows unauthenticated users to provide a malicious H2 JDBC URL via the testConnection API. This can lead to the execution of arbitrary Java code on the server due to improper handling of the INIT parameter in H2. This issue predominantly affects environments where H2 is used for testing or local development, emphasizing the importance of upgrading to version 1.2.1 to eliminate the risk.

Affected Version(s)

Apache Gravitino 0 < 1.2.1

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Junjie Li (Xidian University, https://github.com/jackieya)
.