Authenticated Server-Side Request Forgery in Apache Gravitino JobManager
CVE-2026-49876

Currently unrated

Key Information:

Vendor

Apache

Vendor
CVE Published:
13 July 2026

What is CVE-2026-49876?

The Apache Gravitino JobManager has a vulnerability that allows authenticated users to execute server-side HTTP requests to sensitive internal network and cloud metadata endpoints. This occurs through unvalidated job template URIs, enabling potential unauthorized access to internal resources. Users are strongly advised to upgrade to version 1.3.0 to mitigate this issue.

Affected Version(s)

Apache Gravitino 1.0.0 <= 1.2.1

References

Timeline

  • Vulnerability published

  • Vulnerability Reserved

Credit

Darpan Patel (darpan.patel5323@gmail.com)
.