CVE-2026-40563: Apache Atlas has a Code Injection Vulnerability

May 4, 2026 (updated May 8, 2026)

Description:

Improper Control of Generation of Code (‘Code Injection’) vulnerability in Apache Atlas.

Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data.

Affected Version:

This issue affects Apache Atlas: from 0.8-incubating through 2.4.0.

For affected versions >= 2.0.0, the vulnerability is only exploitable when Atlas is deployed with below non-default configuration.

atlas.dsl.executor.traversal=false

Mitigation:

Users are recommended to upgrade to version 2.5.0, which fixes the issue.

References

Code Behaviors & Features

Detect and mitigate CVE-2026-40563 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →