Description
SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or truncate files.
Users are recommended to upgrade to version 1.0.0, which fixes this issue.
Published: 2026-06-30
Score: 5.4 Medium
EPSS: n/a
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability is a SQL misconfiguration in the Apache Gravitino user interface that exists in releases 1.0.0 and earlier. A malicious user can craft input that results in the ability to read files from the filesystem or truncate them, thereby classified as CWE‑89, a classic SQL Injection weakness that compromises confidentiality and integrity of stored data.

Affected Systems

The affected product is Apache Software Foundation’s Apache Gravitino, versions 1.0.0 and below. No specific CPE strings or sub‑product identifiers are listed; therefore the entire base product as shipped before the 1.0.0 release is impacted. Users running these versions should be aware that the UI component lacks proper sanitization of user input leading to the SQL flaw.

Risk and Exploitability

The CVSS score is 5.4, EPSS is not provided, so the exact likelihood of exploitation cannot be quantified. The vulnerability is not listed in CISA’s KEV catalog, suggesting no publicly known exploitation yet. Because the flaw is exposed through the Gravitino UI, the likely attack vector is local or involves authenticated users with UI access; no external network attack was documented. Mitigating the risk requires applying the post‑1.0.0 fix and ensuring that only trusted users can interact with the UI or execute administration commands.

Generated by OpenCVE AI on June 30, 2026 at 16:51 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Apply the vendor’s patch by upgrading to Apache Gravitino 1.0.0 or later.
  • Disable external access to the Gravitino UI for untrusted users or enforce strict authentication and role‑based access control.
  • Verify that all SQL inputs are properly parameterized or sanitized; review any custom queries for injection vulnerabilities.

Generated by OpenCVE AI on June 30, 2026 at 16:51 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

History

Tue, 30 Jun 2026 15:30:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 5.4, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}


Tue, 30 Jun 2026 14:00:00 +0000

Type Values Removed Values Added
Description SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or truncate files. Users are recommended to upgrade to version 1.0.0, which fixes this issue.
Title Apache Gravitino: SQL misconfiguration can access or truncate files
Weaknesses CWE-89
References

Subscriptions

No data.

cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-06-30T17:35:41.726Z

Reserved: 2025-07-08T05:17:44.991Z

Link: CVE-2025-53648

cve-icon Vulnrichment

Updated: 2026-06-30T17:35:41.726Z

cve-icon NVD

No data.

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-06-30T17:00:06Z

Weaknesses
  • CWE-89

    Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection')