Apache Inlong JDBC Vulnerability
Description
Deserialization of Untrusted Data vulnerability in Apache InLong.This issue affects Apache InLong: from 1.7.0 through 1.11.0,
the attackers can bypass using malicious parameters.
Users are advised to upgrade to Apache InLong's 1.12.0 or cherry-pick [1], [2] to solve it.
[1] https://github.com/apache/inlong/pull/9694
[2] https://github.com/apache/inlong/pull/9707
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache InLong versions 1.7.0 through 1.11.0 contain a deserialization vulnerability that attackers can exploit via malicious parameters.
Vulnerability
Overview
CVE-2024-26579 is a Deserialization of Untrusted Data vulnerability in Apache InLong, affecting versions from 1.7.0 up to and including 1.11.0 [3]. The vulnerability allows attackers to bypass security controls by injecting malicious parameters, leading to unsafe deserialization of user-supplied data.
Attack
Vector and Exploitation
The attack surface involves the InLong Manager component, where the application fails to properly validate or sanitize certain input parameters before deserialization. This enables an attacker to craft malicious serialized objects that, when processed by the vulnerable deserialization routine, can execute arbitrary operations on the server. The exploitation does not require advanced privileges, as the vulnerability can be triggered through standard API calls or data ingestion workflows [1][2].
Impact
Successful exploitation of this deserialization flaw can lead to remote code execution (RCE) within the context of the InLong application server. An attacker could potentially compromise the integrity, confidentiality, and availability of the affected system, gaining full control over the InLong instance and any connected data pipelines [3].
Mitigation
The Apache InLong project has addressed this vulnerability in version 1.12.0. Users are strongly advised to upgrade to this latest release. Alternatively, the specific fixes can be cherry-picked from the provided pull requests: [INLONG-9689] (PR #9694) and [INLONG-9706] (PR #9707) [1][2][3]. These patches introduce stricter input validation and secure deserialization practices to prevent the bypass.
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.inlong:manager-pojoMaven | >= 1.7.0, < 1.12.0 | 1.12.0 |
Affected products
2- Apache Software Foundation/Apache InLongv5Range: 1.7.0
Patches
223e3e00cae1f[INLONG-9706][Manager] Supports jdbc verification under multiple hosts (#9707)
2 files changed · +13 −2
inlong-manager/manager-common/src/main/java/org/apache/inlong/manager/common/consts/InlongConstants.java+2 −0 modified@@ -48,6 +48,8 @@ public class InlongConstants { public static final String EMPTY = ""; + public static final String SHARP = "#"; + public static final String SLASH = "/"; public static final String COLON = ":";
inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/util/MySQLSensitiveUrlUtils.java+11 −2 modified@@ -71,17 +71,26 @@ public static String filterSensitive(String url) { } resultUrl = resultUrl.replaceAll(InlongConstants.REGEX_WHITESPACE, InlongConstants.EMPTY); + for (String key : SENSITIVE_REPLACE_PARAM_MAP.keySet()) { + resultUrl = StringUtils.replaceIgnoreCase(resultUrl, key + InlongConstants.EQUAL + "true", + InlongConstants.EMPTY); + resultUrl = StringUtils.replaceIgnoreCase(resultUrl, key + InlongConstants.EQUAL + "yes", + InlongConstants.EMPTY); + } if (resultUrl.contains(InlongConstants.QUESTION_MARK)) { StringBuilder builder = new StringBuilder(); builder.append(StringUtils.substringBefore(resultUrl, InlongConstants.QUESTION_MARK)); builder.append(InlongConstants.QUESTION_MARK); List<String> paramList = new ArrayList<>(); String queryString = StringUtils.substringAfter(resultUrl, InlongConstants.QUESTION_MARK); - if (queryString.contains("#")) { - queryString = StringUtils.substringBefore(queryString, "#"); + if (queryString.contains(InlongConstants.SHARP)) { + queryString = StringUtils.substringBefore(queryString, InlongConstants.SHARP); } for (String param : queryString.split(InlongConstants.AMPERSAND)) { + if (StringUtils.isBlank(param)) { + continue; + } String key = StringUtils.substringBefore(param, InlongConstants.EQUAL); String value = StringUtils.substringAfter(param, InlongConstants.EQUAL);
cdf616670942[INLONG-9689][Manager] Optimize MySQL JDBC URL check (#9694)
1 file changed · +3 −0
inlong-manager/manager-pojo/src/main/java/org/apache/inlong/manager/pojo/util/MySQLSensitiveUrlUtils.java+3 −0 modified@@ -78,6 +78,9 @@ public static String filterSensitive(String url) { List<String> paramList = new ArrayList<>(); String queryString = StringUtils.substringAfter(resultUrl, InlongConstants.QUESTION_MARK); + if (queryString.contains("#")) { + queryString = StringUtils.substringBefore(queryString, "#"); + } for (String param : queryString.split(InlongConstants.AMPERSAND)) { String key = StringUtils.substringBefore(param, InlongConstants.EQUAL); String value = StringUtils.substringAfter(param, InlongConstants.EQUAL);
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
8- github.com/advisories/GHSA-fgh3-pwmp-3qw3ghsaADVISORY
- lists.apache.org/thread/d2hndtvh6bll4pkl91o2oqxyynhr54k3ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-26579ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/05/09/2ghsaWEB
- github.com/apache/inlong/commit/23e3e00cae1fd120b089fca54f7440945dfe11a4ghsaWEB
- github.com/apache/inlong/commit/cdf616670942fec7d09fae2452e2ea215205dd1dghsaWEB
- github.com/apache/inlong/pull/9694ghsaWEB
- github.com/apache/inlong/pull/9707ghsaWEB
News mentions
0No linked articles in our index yet.