CVE-2026-40564: CWE-552 Files or Directories Accessible to External Parties in Apache Software Foundation Apache Flink Kubernetes Operator
Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files from the operator pod's filesystem and pull content from any backing store reachable through Flink's pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0. Users are recommended to upgrade to version 1.15.0, which fixes the issue.
AI Analysis
Technical Summary
The vulnerability CVE-2026-40564 in Apache Flink Kubernetes Operator involves improper validation of the FlinkSessionJob jarURI parameter. This lack of validation allows users with create permissions to read arbitrary files from the operator pod's filesystem and retrieve content from any accessible backing store via Flink's pluggable filesystem. Furthermore, HTTP/HTTPS URIs are not restricted by scheme, host, or IP range, enabling potential server-side request forgery (SSRF) attacks targeting internal or link-local addresses. The affected versions range from 1.3.0 up to but not including 1.15.0. The vendor has addressed this vulnerability in version 1.15.0.
Potential Impact
An attacker with create permissions on the Apache Flink Kubernetes Operator can exploit this vulnerability to read sensitive files from the operator pod's filesystem and access arbitrary backing stores. The lack of URI validation also allows SSRF attacks, potentially exposing internal network resources. This could lead to unauthorized data disclosure and increased attack surface within the affected environment.
Mitigation Recommendations
Users should upgrade Apache Flink Kubernetes Operator to version 1.15.0 or later, where this vulnerability is fixed. No other mitigation guidance is provided or necessary as the vendor has released an official fix.
CVE-2026-40564: CWE-552 Files or Directories Accessible to External Parties in Apache Software Foundation Apache Flink Kubernetes Operator
Description
Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so that it points to user-owned files or addresses. This lets a user with CR create permissions read files from the operator pod's filesystem and pull content from any backing store reachable through Flink's pluggable filesystem layer and access them through the submitted Flink job. Furthermore for fetching from http/https addresses there is currently no allowlist on the URI scheme, no host check, no IP-range restriction, and no protection against pointing the URI at internal or link-local addresses.This issue affects Apache Flink Kubernetes Operator: from 1.3.0 before 1.15.0. Users are recommended to upgrade to version 1.15.0, which fixes the issue.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
The vulnerability CVE-2026-40564 in Apache Flink Kubernetes Operator involves improper validation of the FlinkSessionJob jarURI parameter. This lack of validation allows users with create permissions to read arbitrary files from the operator pod's filesystem and retrieve content from any accessible backing store via Flink's pluggable filesystem. Furthermore, HTTP/HTTPS URIs are not restricted by scheme, host, or IP range, enabling potential server-side request forgery (SSRF) attacks targeting internal or link-local addresses. The affected versions range from 1.3.0 up to but not including 1.15.0. The vendor has addressed this vulnerability in version 1.15.0.
Potential Impact
An attacker with create permissions on the Apache Flink Kubernetes Operator can exploit this vulnerability to read sensitive files from the operator pod's filesystem and access arbitrary backing stores. The lack of URI validation also allows SSRF attacks, potentially exposing internal network resources. This could lead to unauthorized data disclosure and increased attack surface within the affected environment.
Mitigation Recommendations
Users should upgrade Apache Flink Kubernetes Operator to version 1.15.0 or later, where this vulnerability is fixed. No other mitigation guidance is provided or necessary as the vendor has released an official fix.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-04-14T12:59:12.603Z
- Cvss Version
- null
- State
- PUBLISHED
- Remediation Level
- null
Threat ID: 6a15c089891d628fdc570d13
Added to database: 5/26/2026, 3:47:21 PM
Last enriched: 5/26/2026, 4:03:32 PM
Last updated: 5/26/2026, 9:53:45 PM
Views: 27
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.