VDB
KO
MEDIUM 6.5

PYSEC-2026-3442

Details

Authenticated SSRF in Gravitino JobManager allows server-side HTTP requests to internal network and cloud metadata endpoints via unvalidated job template URIs. A vulnerability in Apache Gravitino.

This issue affects Apache Gravitino: from 1.0.0 through 1.2.1.

Users are recommended to upgrade to version 1.3.0, which fixes the issue.

Are you affected?

Enter the version of the package you're using.

Affected packages

PyPI / apache-gravitino
Introduced in: 1.0.0 Fixed in: 1.3.0
Fix pip install --upgrade 'apache-gravitino>=1.3.0'

References