CVE-2020-17518

Confirmed PUBLISHED

Apache Flink directory traversal attack: remote file writing through the REST API

Apache Software Foundation · Apache Flink

Not yet in CISA KEV

Exploited in the wild Active exploitation observed PoC available

Recommended Action

Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.

Confidence
Confirmed
Exploitation Status
Active exploitation observed
Observed in Sensors
Yes
Attempts (30d)
81
Unique Attacker IPs
27
CISA KEV
Not yet in CISA KEV
CVSS / EPSS
7.5 High EPSS 50.0%

At a Glance

Apache Flink 1.5.1 introduced a REST handler that allows you to write an uploaded file to an arbitrary location on the local file system, through a maliciously modified HTTP HEADER. The files can be written to any location accessible by Flink 1.5.1. All users should upgrade to Flink 1.11.3 or 1.12.0 if their Flink instance(s) are exposed. The issue was fixed in commit a5264a6f41524afe8ceadf1d8ddc8c80f323ebc4 from apache/flink:master.

nuclei_scanner apache
CVE Published
Jan 05, 2021
Exploitation Reported
Jun 12, 2026
CVSS
7.5 High
EPSS
50.0%
Remote Low complexity No user interaction Unauthenticated

Affected Versions

Vendor Product Version Status
Apache Software Foundation
Apache Flink

Apache Flink 1.5.1 to 1.11.2

Affected

CVE References

Show 19 more references

Recommended Actions

  • Prioritize immediate patching and validate internet-facing exposure. Monitor for matching exploitation attempts in your environment.
  • Review sensor telemetry for request paths, attacker IPs, and payload patterns that may inform detection and exposure validation.
  • Check enrichment artifacts for scanner coverage and available PoCs before rolling remediation validation.
  • Use the Pro API to automate enrichment, telemetry, and workflow delivery for VM, SOC, and CTI pipelines.