Denial of Service Vulnerability in Apache Fluss by The Apache Software Foundation
CVE-2026-49361

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Fluss (incubating)
Vendor: CVE Published:; 1 June 2026

What is CVE-2026-49361?

The Apache Fluss application, specifically versions prior to 0.9.1, is susceptible to a Denial of Service attack. This vulnerability arises from the improper configuration of the Netty LengthFieldBasedFrameDecoder, which sets the maximum frame length to Integer.MAX_VALUE. Malicious actors may exploit this flaw by sending specifically crafted frame headers, which can lead to exhaustion of the JVM heap memory on both the TabletServer and CoordinatorServer. As a result, normal operations can be severely disrupted, causing unavailability of services. It is strongly recommended that users upgrade to version 0.9.1 to mitigate this vulnerability.

Affected Version(s)

Apache Fluss (incubating) 0.8.0

Apache Fluss (incubating) 0.9.0

References

https://lists.apache.org/thread/dccw6tj0njwtmvbftq13mw7fd...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

None

Integrity:

None

Availability:

None

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Jun 1, 2026
Vulnerability Reserved
May 29, 2026

Credit

Andrea Cosentino

CVE-2026-49361 Data

JSON