CVE Daily
← All tags

Tag: Apache Flink

All CVEs associated with "Apache Flink". Page 1/1 • 7 CVEs.

About “Apache Flink”

A curated feed of “Apache Flink”-related CVEs appears below. We currently track 7 CVEs for this tag (all time). In the last 365 days, 3 were published. Average CVSS is 7.0 (all time; 7.8 over 365d), and 57% are rated High/Critical (all time). Top CWEs (last 365 days): CWE-552 - Files or Directories Accessible to External Parties, CWE-94 - Improper Control of Generation of Code ('Code Injection'), CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection').

In our taxonomy this topic maps to a LOW impact class. Vendor advisories and release notes are key. Verify compatibility matrices, prefer supported long term versions, and stage rollouts with monitoring. Use the filters below to sort by CVSS, risk and CWE. Each detail page highlights vendor advisories and mitigation tips.

Support & lifecycle: apache-flink

This table shows recent release cycles and their projected end-of-life. Data source: endoflife.date.

CycleReleaseLatestEOLLTS
2.22.2.1-
2.12.1.2-
2.02.0.2-
1.201.20.4-LTS
1.191.19.3-
1.181.18.1 Expired
1.171.17.2 Expired

Maintained Soon (≤ 180 days) Expired

Subscribe lifecycle: RSS (expired)  ·  ICS

Subscribe CVEs: RSS for “Apache Flink”  ·  RSS (High+Critical only)

CVEs tagged with this topic. Filters apply to the whole list (loaded from JSON).

CVSS ≥ 0.0
2026-05-26
Medium

CVE-2026-40564

Files or Directories Accessible to External Parties, Server-Side Request Forgery (SSRF) vulnerability in Apache Flink Kubernetes Operator. The FlinkSessionJob jarURI is currently not validated so th…

CVSS: 6.5 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
2026-05-15
High

CVE-2026-35194

Code injection in SQL code generation in Apache Flink 1.15.0 through 1.20.x and 2.0.0 through 2.x allows authenticated users with query submission privileges to execute arbitrary code on TaskManagers…

CVSS: 8.1 CWE: CWE-94 - Improper Control of Generation of Code ('Code Injection') View on NVD
2025-10-09
High

CVE-2025-62228

Apache Flink CDC version 3.4.0 was vulnerable to a SQL injection via maliciously crafted identifiers eg. crafted database name or crafted table name. Even through only the logged-in database user can…

CVSS: 8.8 CWE: CWE-89 - Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') View on NVD
2023-09-19
Medium

CVE-2023-41834

Improper Neutralization of CRLF Sequences in HTTP Headers in Apache Flink Stateful Functions 3.1.0, 3.1.1 and 3.2.0 allows remote attackers to inject arbitrary HTTP headers and conduct HTTP response…

CVSS: 6.1 CWE: CWE-74 - Improper Neutralization of Special Elements in Output Used by a Downstream Component ('Injection') View on NVD
2021-01-05
High

CVE-2020-17519

A change introduced in Apache Flink 1.11.0 (and released in 1.11.1 and 1.11.2 as well) allows attackers to read any file on the local filesystem of the JobManager through the REST interface of the Jo…

CVSS: 7.5 CWE: CWE-552 - Files or Directories Accessible to External Parties View on NVD
High

CVE-2020-17518

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be…

CVSS: 7.5 CWE: CWE-23 - Relative Path Traversal View on NVD
2020-05-14
Medium

CVE-2020-1960

A vulnerability in Apache Flink (1.1.0 to 1.1.5, 1.2.0 to 1.2.1, 1.3.0 to 1.3.3, 1.4.0 to 1.4.2, 1.5.0 to 1.5.6, 1.6.0 to 1.6.4, 1.7.0 to 1.7.2, 1.8.0 to 1.8.3, 1.9.0 to 1.9.2, 1.10.0) where, when ru…

CVSS: 4.7 CWE: N/A View on NVD
CVE Daily Lookup — auto-links CVE IDs on any page you visit. GitHub, Jira, Confluence & more. Free.
Chrome Firefox