CVE-2026-40563 - Vulnerability Details

- Apache Atlas: Script injection allows access to unintended data

Description

Description:
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas
Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data

Affect Version:
This issue affects Apache Atlas: from 0.8 through 2.4.0.

For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration.

atlas.dsl.executor.traversal=false

Mitigation:
Users are recommended to upgrade to version 2.5.0, which fixes the issue.

Published: 2026-05-04

Score: 7.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Apache Atlas contains a code injection flaw in its DSL search endpoint that allows an attacker to manipulate Gremlin traversal logic within the accepted grammar. By supplying a crafted query string, the attacker can modify the internal traversal logic and retrieve data not intended to be exposed. This vulnerability is classified under CWE‑94 and can lead to unauthorized access to sensitive data stored in Atlas.

Affected Systems

The flaw affects Apache Atlas versions 0.8 through 2.4.0. For installations running Atlas 2.0 or newer the issue is only triggered when the configuration parameter atlas.dsl.executor.traversal is set to false. All other default deployments are unaffected.

Risk and Exploitability

The CVSS score of 7.1 indicates a medium to high severity. No EPSS value is currently available, so the precise exploitation likelihood cannot be quantified, but the vulnerability is included in the public advisory and is not yet listed in the CISA KEV catalog. Attackers can target the exposed DSL endpoint over the network, and because the flaw does not require privileged input beyond a crafted query, the practical barrier to entry is low. The potential impact of data exposure combined with moderate exploitation risk warrants prompt remediation.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Atlas

unaffected

Version	Status	Constraints
`0.8`	affected	≤ 2.4.0

No data.

Vendor Product Confidence Versions

Apache

Atlas

95%

Version	Status	Scheme	Platform
`[0.8,2.4.0]`	affected	semver	—

Found an issue or want to improve our Enrichment? You can suggest it directly by opening an issue on our dedicated GitHub repository .

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Atlas to version 2.5.0 or later, which removes the code‑injection vector.
If an upgrade cannot be performed immediately, set the configuration parameter atlas.dsl.executor.traversal to true to disable the vulnerable traversal capability.
Additionally, implement input validation on user‑supplied DSL queries to whitelist allowed syntax and reject any that contain suspicious traversal constructs.

Generated by OpenCVE AI on May 4, 2026 at 17:23 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Exploitation none

Automatable no

Technical Impact partial

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/03/9
https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0plx7jhmfl

History

Mon, 04 May 2026 19:15:00 +0000

Type	Values Removed	Values Added
First Time appeared		Apache Apache atlas
Vendors & Products		Apache Apache atlas

Mon, 04 May 2026 16:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/03/9

Mon, 04 May 2026 16:15:00 +0000

Type	Values Removed	Values Added
Metrics		cvssV3_1 `{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}` ssvc `{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}`

Mon, 04 May 2026 16:00:00 +0000

Type	Values Removed	Values Added
Description		Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data Affect Version: This issue affects Apache Atlas: from 0.8 through 2.4.0. For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration. atlas.dsl.executor.traversal=false Mitigation: Users are recommended to upgrade to version 2.5.0, which fixes the issue.
Title		Apache Atlas: Script injection allows access to unintended data
Weaknesses		CWE-94
References		https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0plx7jhmfl

Subscriptions

Apache Atlas

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-05-04T15:17:32.511Z

Updated: 2026-05-04T16:04:26.483Z

Reserved: 2026-04-14T12:05:23.666Z

Link: CVE-2026-40563

Vulnrichment

Updated: 2026-05-04T15:43:57.213Z

NVD

Status : Received

Published: 2026-05-04T16:16:02.283

Modified: 2026-05-04T17:16:23.500

Link: CVE-2026-40563

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-04T19:00:06Z

Weaknesses

CWE-94

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity Low

Privileges Required Low

Scope Unchanged

Confidentiality Impact High

Integrity Impact Low

Availability Impact None

User Interaction None

Exploitation none

Automatable no

Technical Impact partial

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object