Apache Kylin vulnerabilities

CVE-2025-61733 [HIGH] CWE-288 CVE-2025-61733: Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

CVE-2025-61734 [HIGH] CWE-552 CVE-2025-61734: Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

CVE-2025-61735 [HIGH] CWE-918 CVE-2025-61735: Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

CVE-2025-30067 [HIGH] CWE-94 CVE-2025-30067: Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an atta Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected. This issue a

CVE-2024-48944 [MEDIUM] CWE-918 CVE-2024-48944: Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacke Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the "/kylin/api/x

CVE-2024-23590 [CRITICAL] CWE-384 CVE-2024-23590: Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through Session Fixation vulnerability in Apache Kylin. This issue affects Apache Kylin: from 2.0.0 through 4.x. Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.

CVE-2023-29055 [HIGH] CWE-522 CVE-2023-29055: In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the con In Apache Kylin version 2.0.0 to 4.0.3, there is a Server Config web interface that displays the content of file 'kylin.properties', that may contain serverside credentials. When the kylin service runs over HTTP (or other plain text protocol), it is possible for network sniffers to hijack the HTTP payload and get access to the content of kylin.propert

CVE-2022-44621 [CRITICAL] CWE-77 CVE-2022-44621: Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP R Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.

CVE-2022-43396 [HIGH] CVE-2022-43396: In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a ris In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.

CVE-2022-24697 [CRITICAL] CWE-78 CVE-2022-24697: Kylin's cube designer function has a command injection vulnerability when overwriting system paramet Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “-- conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin

CVE-2021-45456 [CRITICAL] CWE-77 CVE-2021-45456: Apache kylin checks the legitimacy of the project before executing some commands with the project na Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting

CVE-2021-31522 [CRITICAL] CWE-470 CVE-2021-31522: Kylin can receive user input and load any class through Class.forName(...). This issue affects Apach Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

CVE-2021-27738 [HIGH] CWE-918 CVE-2021-27738: All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordin All request mappings in `StreamingCoordinatorController.java` handling `/kylin/api/streaming_coordinator/*` REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordin

CVE-2021-45457 [HIGH] CWE-863 CVE-2021-45457: In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.

CVE-2021-45458 [HIGH] CWE-798 CVE-2021-45458: Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their p Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin's configuration file, ther

CVE-2021-36774 [MEDIUM] CVE-2021-36774: Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache

CVE-2020-13937 [MEDIUM] CWE-922 CVE-2020-13937: Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6 Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2, 3.1.0, 4.0.0-alpha has one restful api which exposed Kylin's configuration information without any authentication, so it is dangerous because some confi

CVE-2020-13925 [CRITICAL] CWE-78 CVE-2020-13925: Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS c Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input validation, which causes the hackers to have the possibility to execute OS command remotely. Users of all previous versions after 2.3 should upgrade to 3.1.0.

CVE-2020-13926 [CRITICAL] CWE-89 CVE-2020-13926: Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by certain rest api, which makes SQL injection attack is possible. Users of all previous versions after 2.0 should upgrade to 3.1.0.

CVE-2020-1956 [HIGH] CWE-78 CVE-2020-1956: Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command without any protection or validation.