Apache spark

This hub aggregates every CVE we track for Apache spark, a product in the databases space. Use it to gauge the current risk picture and drill into individual advisories.

Severity distribution

Monthly trend

The 15 most recently published vulnerabilities affecting Apache spark.

• CVE-2025-54920Apache Spark: Spark History Server Code Execution Vulnerability8.8Mar 14, 2026
• CVE-2025-55039Apache Spark, Apache Spark: RPC encryption defaults to unauthenticated AES-CTR mode, enabling man-in-the-middle ciphertext modification attacks6.5Oct 15, 2025
• CVE-2024-23945Apache Hive, Apache Spark, Apache Spark: CookieSigner exposes the correct signature when message verification fails5.9Dec 23, 2024
• CVE-2023-32007Apache Spark: Shell command injection via Spark UI8.8May 2, 2023
• CVE-2023-22946Apache Spark proxy-user privilege escalation from malicious configuration class6.4Apr 17, 2023
• CVE-2022-31777Apache Spark XSS vulnerability in log viewer UI Javascript5.4Nov 1, 2022
• CVE-2022-33891Apache Spark shell command injection vulnerability via Spark UIKEV8.8Jul 18, 2022
• CVE-2021-38296Apache Spark Key Negotiation Vulnerability7.5Mar 10, 2022
• CVE-2020-9480In Apache Spark 2.4.5 and earlier, a standalone resource manager's master may be configured to require authentication (spark.authenticate) via a shared secret. When enabled, however, a specially-cr...9.8Jun 23, 2020
• CVE-2019-10099Prior to Spark 2.3.3, in certain situations Spark would write user data to local disk unencrypted, even if spark.io.encryption.enabled=true. This includes cached blocks that are fetched to disk (co...7.5Aug 7, 2019
• CVE-2018-11760When using PySpark , it's possible for a different local user to connect to the Spark application and impersonate the user running the Spark application. This affects versions 1.x, 2.0.x, 2.1.x, 2....5.5Feb 4, 2019
• CVE-2018-17190In all versions of Apache Spark, its standalone resource manager accepts code to execute on a 'master' host, that then runs that code on 'worker' hosts. The master itself does not, by design, execu...9.8Nov 19, 2018
• CVE-2018-11804Spark's Apache Maven-based build includes a convenience script, 'build/mvn', that downloads and runs a zinc server to speed up compilation. It has been included in release branches since 1.3.x, up ...7.5Oct 24, 2018
• CVE-2018-11770From version 1.3.0 onward, Apache Spark's standalone master exposes a REST API for job submission, in addition to the submission mechanism used by spark-submit. In standalone, the config property '...4.2Aug 13, 2018
• CVE-2018-8024In Apache Spark 2.1.0 to 2.1.2, 2.2.0 to 2.2.1, and 2.3.0, it's possible for a malicious user to construct a URL pointing to a Spark cluster's UI's job and stage info pages, and if a user can be tr...5.4Jul 12, 2018