{"schema_version": "1.6.1", "id": "CVE-2026-40563", "summary": "Script injection allows access to unintended data", "details": "Description:\nImproper Control of Generation of Code ('Code Injection') vulnerability in Apache Atlas\nApache Atlas exposes a DSL search endpoint that accepts user-supplied query strings. Attacker can alter Gremlin traversal logic within grammar-allowed characters to access unintended data\n\n\n\n\nAffect Version:\nThis issue affects Apache Atlas: from 0.8 through 2.4.0.\n\n\n\nFor the affect version >= 2.0, vulnerability is only when Atlas is deployed with below non-default configuration.\n\n\natlas.dsl.executor.traversal=false\n\n\n\nMitigation:\nUsers are recommended to upgrade to version 2.5.0, which fixes the issue.", "affected": [{"ranges": [{"type": "SEMVER", "events": [{"introduced": "0.8"}, {"last_affected": "0.8"}]}]}], "references": [{"type": "WEB", "url": "https://lists.apache.org/thread/vd0oggmqxl2k1skm0z2f9p0plx7jhmfl"}]}