CVE-2026-40563
Published: 04 May 2026
Summary
CVE-2026-40563 is a high-severity Code Injection (CWE-94) vulnerability in Apache Atlas. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 23.6th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Threat & Defense at a Glance
Threat & Defense Details
Mitigating Controls (NIST 800-53 r5)AI
Directly prevents code injection by validating user-supplied query strings in the Apache Atlas DSL search endpoint to block alteration of Gremlin traversal logic.
Mitigates the vulnerability by requiring timely flaw remediation through upgrading Apache Atlas to version 2.5.0 or later.
Enforces access control policies to restrict unauthorized data access resulting from injected Gremlin traversal logic.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
The CVE describes a remote code/query injection vulnerability in the public-facing DSL search endpoint of Apache Atlas (a web/metadata application), directly enabling attackers to exploit the exposed service for unauthorized data access.
NVD Description
Description: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data Affect Version:…
more
This issue affects Apache Atlas: from 0.8 through 2.4.0. For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration. atlas.dsl.executor.traversal=false Mitigation: Users are recommended to upgrade to version 2.5.0, which fixes the issue.
Deeper analysisAI
CVE-2026-40563 is an Improper Control of Generation of Code ('Code Injection') vulnerability, classified under CWE-94, affecting Apache Atlas versions from 0.8 through 2.4.0. The issue resides in the DSL search endpoint, which accepts user-supplied query strings, allowing attackers to alter Gremlin traversal logic using grammar-allowed characters to access unintended data. For versions 2.0 and later, the vulnerability is present only under the non-default configuration atlas.dsl.executor.traversal=false.
An attacker with low privileges (PR:L), such as an authenticated user, can exploit this over the network (AV:N) with low complexity (AC:L) and no user interaction (UI:N). Successful exploitation enables high confidentiality impact (C:H) by accessing unauthorized data and low integrity impact (I:L), with no availability impact (A:N) and unchanged scope (S:U), as reflected in the CVSS v3.1 base score of 7.1.
Apache advisories recommend upgrading to version 2.5.0, which resolves the issue. Details are available in the Apache mailing list announcement at https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0plx7jhmfl and the oss-security mailing list at http://www.openwall.com/lists/oss-security/2026/05/03/9.
Details
- CWE(s)