Apache Atlas security advisories
Security information for Apache Atlas
Reporting
Do you want disclose a potential security issue for Apache Atlas? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Script injection allows access to unintended data
CVE-2026-40563 [CVE] [CVE json] [OSV json]
Last updated: 2026-05-04T15:17:30.858Z
Affected
- Apache Atlas from 0.8 through 2.4.0
Description
Description:
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas
Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data
Affect Version:
This issue affects Apache Atlas: from 0.8 through 2.4.0.
For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration.
atlas.dsl.executor.traversal=false
Users are recommended to upgrade to version 2.5.0, which fixes the issue.
References
Credits
- Khaled M. Alshammri (finder)
- qx L (finder)
Stored XSS in Create Entity page
CVE-2025-62198 [CVE] [CVE json] [OSV json]
Last updated: 2026-06-22T07:47:10.790Z
Affected
- Apache Atlas through 2.4.0
Description
An authenticated user can perform XSS.
This issue affects Apache Atlas versions 2.4.0 and earlier.
Users are recommended to upgrade to version 2.5.0, which fixes the issue.
References
Credits
- Grzegorz Misiun (finder)
An authenticated user can perform XSS and potentially impersonate another user
CVE-2024-46910 [CVE] [CVE json] [OSV json]
Last updated: 2025-10-17T15:29:29.800Z
Affected
- Apache Atlas from 2.0.0 through 2.3.0
Description
An authenticated user can perform XSS and potentially impersonate another user.
This issue affects Apache Atlas versions 2.3.0 and earlier.
Users are recommended to upgrade to version 2.4.0, which fixes the issue.
References
Credits
- SecIQ Technologies LLP (finder)
- Darpan Patel (SecIQ Technologies) (finder)
zip path traversal in import functionality
CVE-2022-34271 [CVE] [CVE json] [OSV json]
Last updated: 2022-12-14T08:34:57.194Z
Affected
- Apache Atlas from 0.8.4 before 2.3.0
Description
A vulnerability in import module of Apache Atlas allows an authenticated user to write to web server filesystem. This issue affects Apache Atlas versions from 0.8.4 to 2.2.0.
References
Credits
- Huangzhicong (finder)