Apache Atlas security advisories

Security information for Apache Atlas

Reporting

Do you want disclose a potential security issue for Apache Atlas? Send your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Script injection allows access to unintended data

CVE-2026-40563 [CVE] [CVE json] [OSV json]

Last updated: 2026-05-04T15:17:30.858Z

Affected

  • Apache Atlas from 0.8 through 2.4.0

Description

Description:
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas
Apache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data

Affect Version:
This issue affects Apache Atlas: from 0.8 through 2.4.0.

For the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration.

atlas.dsl.executor.traversal=false
Mitigation:
Users are recommended to upgrade to version 2.5.0, which fixes the issue.

References

Credits

  • Khaled M. Alshammri (finder)
  • qx L (finder)

Stored XSS in Create Entity page

CVE-2025-62198 [CVE] [CVE json] [OSV json]

Last updated: 2026-06-22T07:47:10.790Z

Affected

  • Apache Atlas through 2.4.0

Description

An authenticated user can perform XSS.

This issue affects Apache Atlas versions 2.4.0 and earlier.

Users are recommended to upgrade to version 2.5.0, which fixes the issue.

References

Credits

  • Grzegorz Misiun (finder)

An authenticated user can perform XSS and potentially impersonate another user

CVE-2024-46910 [CVE] [CVE json] [OSV json]

Last updated: 2025-10-17T15:29:29.800Z

Affected

  • Apache Atlas from 2.0.0 through 2.3.0

Description

An authenticated user can perform XSS and potentially impersonate another user.

This issue affects Apache Atlas versions 2.3.0 and earlier.

Users are recommended to upgrade to version 2.4.0, which fixes the issue.

References

Credits

  • SecIQ Technologies LLP (finder)
  • Darpan Patel (SecIQ Technologies) (finder)

zip path traversal in import functionality

CVE-2022-34271 [CVE] [CVE json] [OSV json]

Last updated: 2022-12-14T08:34:57.194Z

Affected

  • Apache Atlas from 0.8.4 before 2.3.0

Description

A vulnerability in import module of Apache Atlas allows an authenticated user to write to web server filesystem. This issue affects Apache Atlas versions from 0.8.4 to 2.2.0.

References

Credits

  • Huangzhicong (finder)