CVE-2026-40564 - Vulnerability Details

- Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator

Description

Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator.

The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files from the operator pod's filesystem and pull content from any backing store reachable through Flink's pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0.

Users are recommended to upgrade to version 1.15.0, which fixes the issue.

Published: 2026-05-26

Score: n/a

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

The vulnerability stems from the FlinkSessionJob jarURI field being unvalidated, enabling a user with ClusterRole create permissions to read any file from the operator pod's local filesystem or request data from any address reachable through Flink's pluggable filesystem layer. This allows Server‑Side Request Forgery (CWE‑918) and local file disclosure (CWE‑552).

Affected Systems

Apache Flink Kubernetes Operator versions from 1.3.0 up to, but not including, 1.15.0 are affected. The operator is typically deployed within Kubernetes clusters by organizations using Flink for stream processing.

Risk and Exploitability

The risk is high because the flaw permits remote users to access internal resources and secrets without needing external network connectivity. An attacker can craft a CustomResource with a malicious jarURI and use their create privileges to trigger the vulnerability. The EPSS score is not available, and the vulnerability is not listed in the CISA KEV catalog. Based on the description, it is inferred that the attacker can submit a malicious CustomResource to the operator. The lack of input validation and allowlists suggests a significant exploitability. The likely attack vector is a user with ClusterRole create permissions targeting the operator.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Flink Kubernetes Operator

unaffected

Version	Status	Constraints
`1.3.0`	affected	< 1.15.0

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade the Apache Flink Kubernetes Operator to version 1.15.0 or later to eliminate the flaw.
Limit ClusterRole permissions so that only trusted users can create CustomResources that interact with the operator.
Implement network policies or firewall rules to block the operator pod from reaching internal or link‑local IP addresses and URLs that are not required for normal operation.

Generated by OpenCVE AI on May 26, 2026 at 16:50 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

No CVSS v3.1

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
http://www.openwall.com/lists/oss-security/2026/05/26/6
https://lists.apache.org/thread/jvxs2kh2o60sl7qkl5nss4r5phzfl4cz

History

Tue, 26 May 2026 17:30:00 +0000

Type	Values Removed	Values Added
References		http://www.openwall.com/lists/oss-security/2026/05/26/6

Tue, 26 May 2026 15:45:00 +0000

Type	Values Removed	Values Added
Description		Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files from the operator pod's filesystem and pull content from any backing store reachable through Flink's pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0. Users are recommended to upgrade to version 1.15.0, which fixes the issue.
Title		Apache Flink Kubernetes Operator: Server-Side Request Forgery and local file access in Kubernetes Operator
Weaknesses		CWE-552 CWE-918
References		https://lists.apache.org/thread/jvxs2kh2o60sl7qkl5nss4r5phzfl4cz

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-05-26T14:38:21.937Z

Updated: 2026-05-26T16:18:03.659Z

Reserved: 2026-04-14T12:59:12.603Z

Link: CVE-2026-40564

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-05-26T16:16:24.590

Modified: 2026-05-26T17:16:41.723

Link: CVE-2026-40564

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-05-26T17:00:13Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object