CVE-2026-49876 PUBLISHED

Apache Gravitino: Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs

Assigner: apache
Reserved: 02.06.2026 Published: 13.07.2026 Updated: 13.07.2026

Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache Gravitino.

This issue affects Apache Gravitino: from 1.0.0 through 1.2.1.

Users are recommended to upgrade to version 1.3.0, which fixes the issue.

Product Status

Vendor Apache Software Foundation
Product Apache Gravitino
Versions Default: unaffected
  • affected from 1.0.0 to 1.2.1 (incl.)

Credits

  • Darpan Patel (darpan.patel5323@gmail.com) reporter

References

Problem Types

  • CWE-918 Server-Side Request Forgery (SSRF) CWE