Apache StreamPark: Authenticated users can trigger remote command execution
Description
Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark.
This issue affects Apache StreamPark: from 2.1.4 before 2.1.6.
Users are recommended to upgrade to version 2.1.6, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache StreamPark 2.1.4 to 2.1.5 has an incorrect execution-assigned permissions vulnerability allowing authenticated users to trigger remote command execution.
Vulnerability
Overview
CVE-2025-30001 is an Incorrect Execution-Assigned Permissions vulnerability in Apache StreamPark, affecting versions from 2.1.4 before 2.1.6 [1][3]. The issue stems from improper permission checks during job execution, where the system fails to correctly enforce the intended access controls for authenticated users [1].
Exploitation
An attacker must first authenticate to the StreamPark platform [3]. Once authenticated, they can exploit the vulnerability can be exploited to trigger remote command execution, likely by submitting or modifying a streaming job with malicious parameters that bypass the intended permission boundaries [3]. The attack vector is network-based and requires no special privileges beyond a valid user account [3].
Impact
Successful exploitation allows an authenticated attacker to execute arbitrary commands on the StreamPark server, potentially leading to full compromise of the application and underlying host [3]. This could result in data exfiltration, service disruption, or lateral movement within the network.
Mitigation
The vulnerability is fixed in Apache StreamPark version 2.1.6 [1][3]. Users running versions 2.1.4 or 2.1.5 should upgrade immediately. No workarounds have been publicly documented [1][3].
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.streampark:streamparkMaven | <= 2.1.5 | — |
Affected products
2- Range: >=2.1.4, <2.1.6
- Apache Software Foundation/Apache StreamParkv5Range: 2.1.4
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-6wwv-6mm3-pp76ghsaADVISORY
- lists.apache.org/thread/xfmsvhkcnr1831n0w5ovy3p44lsmfb7mghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-30001ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/09/04/1ghsaWEB
News mentions
0No linked articles in our index yet.