Primary

Context

Apache Atlas Code Injection Vulnerability Allowing Unintended Data Access

Vulnerability

Patched

A code injection vulnerability has been identified in Apache Atlas versions 0.8 through 2.4.0. This issue arises from the DSL search endpoint, which accepts user-supplied query strings. Attackers can manipulate Gremlin traversal logic within the allowed grammar characters to access unintended data. For versions 2.0 and above, this vulnerability only occurs when Atlas is deployed with the non-default configuration 'atlas.dsl.executor.traversal=false'.

Impact

Exploitation of this vulnerability allows for unauthorized access to data by manipulating query strings to alter Gremlin traversal logic.

Remediation

Users are advised to upgrade to Apache Atlas version 2.5.0, which addresses this vulnerability.

Added: May 4, 2026, 4:18 PM

Updated: May 4, 2026, 4:18 PM

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

0.6

exploitability

7.0

remediation

7.9

relevance

7.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

0.3

impact

0.6

exploitability

7.0

remediation

7.9

relevance

7.0

threat

0.0

urgency

2.9

incentive

4.2

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Atlas Code Injection Vulnerability Allowing Unintended Data Access

Vulnerability

Impact

Remediation

Affected Products

Apache Atlas

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating