CVE-2025-53648 PUBLISHED

Apache Gravitino: SQL misconfiguration can access or truncate files

Assigner: apache
Reserved: 08.07.2025 Published: 30.06.2026 Updated: 30.06.2026

SQL misconfiguration in the Gravitino UI, in versions 1.0.0 and below, can allow a malicious user to read or truncate files. Users are recommended to upgrade to version 1.0.0, which fixes this issue.

Product Status

Vendor	Apache Software Foundation
Product	Apache Gravitino
Versions	Default: unaffected affected from 0.5.0 to 1.0.0 (excl.)

Credits

A1kaid@ThreatBook VulTeam reporter
Le1a@ThreatBook VulTeam finder

References

https://lists.apache.org/thread/s0hytcv17z52dwp5dojjjwgrtqtyh2xk

Problem Types

CWE-89 Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') CWE