Apache Flink flaw allows remote code execution through malicious SQL queries
6 min. read 
Published on
Apache Flink users need to patch a newly disclosed code-injection vulnerability that can let authenticated users execute arbitrary code on TaskManager nodes.
The flaw is tracked as CVE-2026-35194 and affects Apache Flink’s SQL code generation process. It impacts Flink 1.15.0 through versions before 1.20.4, as well as Flink 2.0.0 and later 2.x versions before the fixed 2.0.2, 2.1.2, and 2.2.1 releases.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The risk applies to users who already have permission to submit SQL queries. A malicious query can abuse how Flink turns SQL into generated Java code, then inject expressions that run on TaskManagers.
What is CVE-2026-35194?
CVE-2026-35194 is a code injection vulnerability in Apache Flink’s SQL code generation engine. Apache disclosed the issue on May 15, 2026, through an oss-security advisory from Apache Flink contributor Martijn Visser.
The vulnerability affects JSON functions introduced in Flink 1.15.0 and LIKE expressions with ESCAPE clauses introduced in Flink 1.17.0. These features can process user-controlled strings during SQL query handling.
The problem comes from unsafe interpolation. Flink can place user-controlled strings into generated Java code without proper escaping, which lets an attacker break out of string literals and inject arbitrary expressions.
| Detail | Information |
|---|---|
| CVE | CVE-2026-35194 |
| Product | Apache Flink |
| Vulnerability type | Code injection in SQL code generation |
| Impact | Arbitrary code execution on TaskManagers |
| Access needed | Authenticated query submission privileges |
| Fixed versions | 1.20.4, 2.0.2, 2.1.2, and 2.2.1 |
Why the flaw matters for Flink clusters
Apache Flink runs distributed data processing workloads across clusters. TaskManagers execute parts of those workloads, which makes them high-value targets in production environments.
If an attacker can submit malicious SQL, the injected code may run where Flink executes generated tasks. That can expose sensitive data, disrupt jobs, or give the attacker a stronger foothold inside the processing environment.
The issue is especially important for shared analytics platforms, managed internal data services, and multi-tenant Flink deployments where several users or teams can submit queries.
Affected Flink versions
The affected range starts with Flink 1.15.0 because that is when the impacted JSON functions became relevant. LIKE expressions with ESCAPE clauses add another affected path starting with Flink 1.17.0.
Apache recommends moving to one of the fixed releases rather than trying to work around the issue in application logic. The patched versions update Flink’s handling of the unsafe code generation path.
| Flink branch | Affected versions | Fixed version |
|---|---|---|
| 1.x | 1.15.0 through versions before 1.20.4 | 1.20.4 |
| 2.0.x | 2.0.0 through versions before 2.0.2 | 2.0.2 |
| 2.1.x | 2.1.0 through versions before 2.1.2 | 2.1.2 |
| 2.2.x | 2.2.0 release candidates and unfixed 2.2 builds | 2.2.1 |
How attackers can exploit it
An attacker needs access to submit SQL queries to a vulnerable Flink environment. That requirement lowers the risk compared with an unauthenticated internet-facing exploit, but it does not make the issue minor.
In many companies, data engineers, analysts, service accounts, internal tools, and automated jobs may submit SQL to Flink. If one of those accounts gets compromised, the vulnerability can turn query access into code execution.
The attack path centers on crafted SQL. By abusing affected JSON functions or LIKE expressions with ESCAPE clauses, an attacker can influence the Java code Flink generates and executes.
- Submit a crafted SQL query through a trusted or compromised account.
- Trigger vulnerable SQL code generation logic.
- Break out of generated Java string boundaries.
- Inject arbitrary Java expressions or method calls.
- Execute code on TaskManager nodes in the Flink cluster.
Who should patch first
Organizations that run shared Flink environments should treat this as a priority update. The same applies to teams that let many users, services, or automated jobs submit SQL queries.
Production clusters that process sensitive data need the fastest response. These systems may handle event streams, user activity, payments, logs, telemetry, security data, and business analytics.
Administrators should also check managed deployments and vendor-provided Flink distributions. If the underlying Flink version falls into the affected range, the environment needs a patched build or a vendor update.
Recommended mitigation steps
The main fix is to upgrade Apache Flink to a patched version. Teams using the 1.20 branch should move to 1.20.4, while Flink 2.x users should move to 2.0.2, 2.1.2, or 2.2.1 depending on their branch.
Access control also matters. Query submission privileges should go only to trusted users and services, especially in shared clusters where one compromised account could affect other workloads.
Security teams should review recent SQL submissions and TaskManager behavior for suspicious patterns. Unusual queries using JSON functions or LIKE ESCAPE clauses deserve closer inspection if they came from unexpected accounts.
- Identify all Apache Flink clusters and record their exact versions.
- Upgrade affected 1.x deployments to Flink 1.20.4.
- Upgrade affected 2.x deployments to Flink 2.0.2, 2.1.2, or 2.2.1.
- Restrict SQL query submission permissions to trusted users and service accounts.
- Review access tokens and credentials used by data tools that submit Flink queries.
- Monitor recent queries that use JSON functions or LIKE expressions with ESCAPE clauses.
- Check TaskManager nodes for unusual processes, crashes, or unexpected outbound connections.
- Apply runtime isolation and network controls around TaskManager nodes where possible.
Why this is a data platform security issue
Flink often sits close to important business data. A flaw in the query layer can therefore affect more than one application, especially when teams use the same cluster for several pipelines.
Data platforms also tend to trust internal users and automation heavily. That trust model can create risk when an authenticated vulnerability lets a normal query path reach backend execution nodes.
The safest response is to patch quickly and reduce who can submit SQL. Teams should also treat query engines as part of the production attack surface, not just as internal developer infrastructure.
FAQ
CVE-2026-35194 is a code injection vulnerability in Apache Flink SQL code generation. It allows authenticated users with query submission privileges to execute arbitrary code on TaskManager nodes through malicious SQL queries.
The vulnerability affects Apache Flink 1.15.0 through versions before 1.20.4, and Flink 2.0.0 through affected 2.x releases before the fixed 2.0.2, 2.1.2, and 2.2.1 versions.
No. The public advisory says exploitation requires authenticated users with query submission privileges. However, a compromised user or service account with SQL access could still use the flaw to execute code.
Apache recommends upgrading to Flink 1.20.4, 2.0.2, 2.1.2, or 2.2.1. Teams should also restrict query submission access and monitor TaskManager nodes for suspicious activity.
The vulnerability is serious because it can turn SQL query access into code execution on TaskManagers. In production clusters, that can expose data, disrupt pipelines, and create a foothold inside data processing infrastructure.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages