Apache InLong: Attackers can change the immutable name and type of nodes
Description
Exposure of Resource to Wrong Sphere Vulnerability in Apache Software Foundation Apache InLong.This issue affects Apache InLong: from 1.4.0 through 1.6.0. Attackers can change the immutable name and type of nodes of InLong. Users are advised to upgrade to Apache InLong's 1.7.0 or cherry-pick [1] to solve it.
[1] https://cveprocess.apache.org/cve5/[1]%C2%A0https://github.com/apache/inlong/pull/7891 https://github.com/apache/inlong/pull/7891 https://github.com/apache/inlong/pull/7891
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong before 1.7.0 allows attackers to change immutable node names and types, breaking resource isolation.
CVE-2023-31206 is an exposure-of-resource-to-wrong-sphere vulnerability in Apache InLong, a one-stop, full-scenario data integration framework. The issue affects versions 1.4.0 through 1.6.0 and stems from missing checks that allow users to modify the data_node_name and cluster_name fields, which are intended to be immutable and serve as foreign keys for resource isolation.
An attacker with access to the InLong manager interface could change these node identifiers, effectively altering the path by which data resources are accessed. This does not require authenticated user privileges beyond normal access, as the vulnerability lies in the lack of server-side validation on these fields, as described in the advisory [1]. The GitHub pull request #7891 [3] fixes the issue by adding validation and introducing display-name fields to decouple identity from display.
The impact is that an attacker can redirect data flows or misattribute resource ownership, potentially reading or writing data to unintended nodes. This breaks the trust model of InLong's resource management, which relies on immutable names for integrity. The CVSS vector is not yet provided by NVD [1], but the vulnerability is classified as critical by the maintainer due to the ease of exploitation and potential for data leakage.
Mitigation is straightforward: users should upgrade to Apache InLong version 1.7.0 or apply the cherry-pick commit from the referenced pull request [1][3]. No official workaround has been provided, and the project recommends upgrading as the only remediation for affected versions.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-pojoMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-daoMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-serviceMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-testMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
org.apache.inlong:manager-webMaven | >= 1.4.0, < 1.7.0 | 1.7.0 |
Affected products
6- ghsa-coords5 versionspkg:maven/org.apache.inlong/manager-daopkg:maven/org.apache.inlong/manager-pojopkg:maven/org.apache.inlong/manager-servicepkg:maven/org.apache.inlong/manager-testpkg:maven/org.apache.inlong/manager-web
>= 1.4.0, < 1.7.0+ 4 more
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- (no CPE)range: >= 1.4.0, < 1.7.0
- Apache Software Foundation/Apache InLongv5Range: 1.4.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-f475-jgg3-3jwcghsaADVISORY
- lists.apache.org/thread/qb7zffo785wzpmsobjqcypodngw6kg6xghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2023-31206ghsaADVISORY
- github.com/apache/inlong/pull/7891ghsaWEB
News mentions
0No linked articles in our index yet.