EXECUTIVE SUMMARY:
CVE-2026-35194 with a CVSS score of 9.8 is a critical remote code execution vulnerability in Apache Flink, exposing the distributed processing engine to attackers. Apache Flink is a powerful framework and distributed processing engine designed to handle stateful computations over both unbounded and bounded data streams, and the vulnerability targets users with query submission privileges who can exploit maliciously crafted SQL queries to execute arbitrary code directly on the TaskManagers. The technical root cause is a dangerous input sanitization failure in the way Apache Flink handles SQL code generation, specifically in JSON functions (versions 1.15.0 and newer) and LIKE expressions utilizing ESCAPE clauses (versions 1.17.0 and newer), allowing an attacker to break out of string literals and inject their own arbitrary expressions. This vulnerability impacts TaskManagers in Apache Flink 1.15.0 before 1.20.4, 2.0.2, 2.1.2, and 2.2.1, and given its critical severity rating, organizations leveraging Apache Flink for real-time analytics and data pipelines are urged to act immediately to prevent a complete system compromise at the Java execution level.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY:
CVE-2026-35194 with a CVSS score of 9.8 is a critical remote code execution vulnerability in Apache Flink, exposing the distributed processing engine to attackers. Apache Flink is a powerful framework and distributed processing engine designed to handle stateful computations over both unbounded and bounded data streams, and the vulnerability targets users with query submission privileges who can exploit maliciously crafted SQL queries to execute arbitrary code directly on the TaskManagers. The technical root cause is a dangerous input sanitization failure in the way Apache Flink handles SQL code generation, specifically in JSON functions (versions 1.15.0 and newer) and LIKE expressions utilizing ESCAPE clauses (versions 1.17.0 and newer), allowing an attacker to break out of string literals and inject their own arbitrary expressions. This vulnerability impacts TaskManagers in Apache Flink 1.15.0 before 1.20.4, 2.0.2, 2.1.2, and 2.2.1, and given its critical severity rating, organizations leveraging Apache Flink for real-time analytics and data pipelines are urged to act immediately to prevent a complete system compromise at the Java execution level.[emaillocker id="1283"]
RECOMMENDATION:
REFERENCES:
The following reports contain further technical details:
https://securityonline.info/apache-flink-vulnerability-cve-2026-35194-rce-sql-injection/