Severity: important
Affected versions:
- Apache Atlas (org.apache.atlas:atlas-repository) 0.8 through 2.4.0
Description:
Description:
Improper Control of Generation of Code ('Code Injection') vulnerability in
Apache Atlas
Apache Atlas exposes a DSL search endpoint that accepts user-supplied query
strings. Attacker can alter Gremlin traversal logic within grammar-allowed
characters to access unintended data
Affect Version:
This issue affects Apache Atlas: from 0.8 through 2.4.0.
For the affect version >= 2.0, vulnerability is only when Atlas is deployed
with below non-default configuration.
atlas.dsl.executor.traversal=false
Mitigation:
Users are recommended to upgrade to version 2.5.0, which fixes the issue.
Credit:
Khaled M. Alshammri (finder)
qx L (finder)
References:
https://atlas.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-40563
