Homepage

Arbitrary Code Injection Affecting flink-2.0 package, versions <2.0.2-r0

Severity

 Recommended
low

Based on default assessment until relevant scores are available.

Threat Intelligence

EPSS
0.05% (17th percentile)

Do your applications use this vulnerable package?

In a few clicks we can analyze your entire application and see what components are vulnerable in your application, and suggest you quick fixes.

Test your applications

Snyk Learn

Learn about Arbitrary Code Injection vulnerabilities in an interactive lesson.

Start learning
  • Snyk IDSNYK-MINIMOSLATEST-FLINK20-16873649
  • published24 May 2026
  • disclosed15 May 2026
Report a new vulnerability Found a mistake?

Introduced: 15 May 2026

NewCVE-2026-35194  (opens in a new tab)
CWE-94  (opens in a new tab)

How to fix?

Upgrade Minimos:latest flink-2.0 to version 2.0.2-r0 or higher.

NVD Description

Note: Versions mentioned in the description apply only to the upstream flink-2.0 package and not the flink-2.0 package as distributed by Minimos. See How to fix? for Minimos:latest relevant fixed versions and status.

Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers via maliciously crafted SQL queries. The vulnerability affects JSON functions (1.15.0+) and LIKE expressions with ESCAPE clauses (1.17.0+). User-controlled strings are interpolated into generated Java code without proper escaping, allowing attackers to break out of string literals and inject arbitrary expressions.

Users are recommended to upgrade to either version 1.20.4, 2.0.2, 2.1.2 or 2.2.1, which fixes this issue.