Home / Vulnerability Intelligence / CVE-2026-40563

CVE-2026-40563 - Vulnerability Analysis

HighCVSS: 8.1

Last Updated: May 6, 2026

Apache Atlas - Code Injection

Published: May 4, 2026Updated: May 6, 2026Remote Exploitable

Overview

Apache Atlas 0.8 through 2.4.0 contains a code injection caused by improper control of user-supplied query strings in the DSL search endpoint, letting attackers alter Gremlin traversal logic to access unintended data, exploit requires non-default configuration atlas.dsl.executor.traversal=false for versions >= 2.0.

Severity & Score

Severity: High

CVSS Score: 8.1

Impact

Attackers can manipulate query logic to access unauthorized data, potentially leading to sensitive information disclosure.

Mitigation

Upgrade to version 2.5.0.

References

http://www.openwall.com/lists/oss-security/2026/05/03/9
https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0plx7jhmfl

Related Resources

Vulnerability Intelligence Dashboard
Credential Scanner

Details

CVE ID: CVE-2026-40563
Severity: High
CVSS Score: 8.1
Type: code_injection
Status: modified

CWE

CWE-94

CVSS Metrics

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:N