Apache Kylin security advisories
Security information for Apache Kylin
Reporting
Do you want disclose a potential security issue for Apache Kylin? Send your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Server-Side Request Forgery
CVE-2025-61735 [CVE] [CVE json] [OSV json]
Last updated: 2026-02-02T07:35:53.853Z
Affected
- Apache Kylin from 4.0.0 through 5.0.2
Description
Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin.
This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected.
Users are recommended to upgrade to version 5.0.3, which fixes the issue.
References
Credits
- liuhuajin liuhuajin1@huawei.com (finder)
- 75Acol (finder)
- fcgboy (finder)
- stan fang (finder)
- zer0duck (finder)
improper restriction of file read
CVE-2025-61734 [CVE] [CVE json] [OSV json]
Last updated: 2026-02-02T07:35:03.252Z
Affected
- Apache Kylin from 4.0.0 through 5.0.2
Description
Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected.
This issue affects Apache Kylin: from 4.0.0 through 5.0.2.
Users are recommended to upgrade to version 5.0.3, which fixes the issue.
References
Credits
- liuhuajin liuhuajin1@huawei.com (finder)
- 75Acol (finder)
- fcgboy (finder)
- stan fang (finder)
- zer0duck (finder)
Authentication bypass
CVE-2025-61733 [CVE] [CVE json] [OSV json]
Last updated: 2026-02-02T07:33:38.093Z
Affected
- Apache Kylin from 4.0.0 through 5.0.2
Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin.
This issue affects Apache Kylin: from 4.0.0 through 5.0.2.
Users are recommended to upgrade to version 5.0.3, which fixes the issue.
References
Credits
- liuhuajin liuhuajin1@huawei.com (finder)
- 75Acol (finder)
- fcgboy (finder)
- stan fang (finder)
- zer0duck (finder)
The remote code execution via jdbc url
CVE-2025-30067 [CVE] [CVE json] [OSV json]
Last updated: 2025-03-27T15:06:34.995Z
Affected
- Apache Kylin from 4.0.0 through 5.0.1
Description
Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. If an attacker gets access to Kylin's system or project admin permission, the JDBC connection configuration maybe altered to execute arbitrary code from the remote. You are fine as long as the Kylin's system and project admin access is well protected.
This issue affects Apache Kylin: from 4.0.0 through 5.0.1.
Users are recommended to upgrade to version 5.0.2 or above, which fixes the issue.
References
Credits
- Pho3n1x ph03n1x@qq.com (finder)
SSRF vulnerability in the diagnosis api
CVE-2024-48944 [CVE] [CVE json] [OSV json]
Last updated: 2025-04-28T14:59:34.758Z
Affected
- Apache Kylin from 5.0.0 through 5.0.1
Description
Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Through a kylin server, an attacker may forge a request to invoke "/kylin/api/xxx/diag" api on another internal host and possibly get leaked information. There are two preconditions: 1) The attacker has got admin access to a kylin server; 2) Another internal host has the "/kylin/api/xxx/diag" api
endpoint open for service.
This issue affects Apache Kylin: from 5.0.0 through
5.0.1.
Users are recommended to upgrade to version 5.0.2, which fixes the issue.
References
Credits
- Zevi linzmgx@gmail.com (finder)
Session fixation in web interface
CVE-2024-23590 [CVE] [CVE json] [OSV json]
Last updated: 2024-11-04T09:27:04.256Z
Affected
- Apache Kylin from 2.0.0 before 5.0.0
Description
Session Fixation vulnerability in Apache Kylin.
This issue affects Apache Kylin: from 2.0.0 through 4.x.
Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.
References
Credits
- XJB Security Team (reporter)
Insufficiently protected credentials in config file
CVE-2023-29055 [CVE] [CVE json] [OSV json]
Last updated: 2024-01-29T12:20:52.048Z
Affected
- Apache Kylin from 2.0.0 through 4.0.3
Description
- Always turn on HTTPS so that network payload is encrypted.
- Avoid putting credentials in kylin.properties, or at least not in plain text.
- Use network firewalls to protect the serverside such that it is not accessible to external attackers.
- Upgrade to version Apache Kylin 4.0.4, which filters out the sensitive content that goes to the Server Config web interface.
References
Credits
- Li Jiakun 2839549219@qq.com (reporter)
Command injection by Diagnosis Controller
CVE-2022-44621 [CVE] [CVE json] [OSV json]
Last updated: 2022-12-30T10:31:39.045Z
Affected
- Apache Kylin from Apache Kylin 4 through 4.0.2
Description
Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request.
References
Credits
- Messy God godimessy@gmail.com (finder)
Command injection by Useless configuration
CVE-2022-43396 [CVE] [CVE json] [OSV json]
Last updated: 2022-12-30T10:30:28.434Z
Affected
- Apache Kylin from Apache Kylin 4 through 4.0.2
Description
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. But there is a risk of being bypassed. The user can control the command by controlling the kylin.engine.spark-cmd parameter of conf.
References
Credits
- Yasax1 Li pp1ove.lit@gmail.com (finder)
Apache Kylin prior to 4.0.2 allows command injection when the configuration overwrites function overwrites system parameters
CVE-2022-24697 [CVE] [CVE json] [OSV json]
Last updated: 2022-10-13T13:05:28.696Z
Affected
- Apache Kylin from Apache Kylin 2 before 2.6.6
- Apache Kylin from Apache Kylin 3 through 3.1.2
- Apache Kylin from Apache Kylin 4 through 4.0.1
Description
Kylin’s cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. RCE can be implemented by closing the single quotation marks around the parameter value of “– conf=” to inject any operating system command into the command line parameters. This vulnerability affects Kylin 2 version 2.6.5 and earlier, Kylin 3 version 3.1.2 and earlier, and Kylin 4 version 4.0.1 and earlier.
References
Credits
- Kylin Team would like to thanks Kai Zhao of ToTU Secruity Team.
Hardcoded credentials
CVE-2021-45458 [CVE] [CVE json] [OSV json]
Last updated: 2022-01-06T12:33:02.681Z
Affected
- Apache Kylin from Apache Kylin 2 through 2.6.6
- Apache Kylin from Apache Kylin 3 through 3.1.2
- Apache Kylin from Apache Kylin 4 through 4.0.0
Description
Apache Kylin provides encryption classes PasswordPlaceholderConfigurer to help users encrypt their passwords. In the encryption algorithm used by this encryption class, the cipher is initialized with a hardcoded key and IV. If users use class PasswordPlaceholderConfigurer to encrypt their password and configure it into kylin’s configuration file, there is a risk that the password may be decrypted. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
References
Credits
- Alvaro Munoz pwntester@github.com
Overly broad CORS configuration
CVE-2021-45457 [CVE] [CVE json] [OSV json]
Last updated: 2022-01-06T12:32:08.962Z
Affected
- Apache Kylin from Apache Kylin 2 through 2.6.6
- Apache Kylin from Apache Kylin 3 through 3.1.2
- Apache Kylin from Apache Kylin 4 through 4.0.0
Description
In Apache Kylin, Cross-origin requests with credentials are allowed to be sent from any origin.
This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
References
Credits
- Alvaro Munoz pwntester@github.com
Command injection
CVE-2021-45456 [CVE] [CVE json] [OSV json]
Last updated: 2022-01-06T12:30:40.650Z
Affected
- Apache Kylin at Apache Kylin 4 4.0.0
Description
Apache kylin checks the legitimacy of the project before executing some commands with the project name passed in by the user. There is a mismatch between what is being checked and what is being used as the shell command argument in DiagnosisService. This may cause an illegal project name to pass the check and perform the following steps, resulting in a command injection vulnerability. This issue affects Apache Kylin 4.0.0.
References
Credits
- Alvaro Munoz pwntester@github.com
Mysql JDBC Connector Deserialize RCE
CVE-2021-36774 [CVE] [CVE json] [OSV json]
Last updated: 2022-01-06T12:29:47.699Z
Affected
- Apache Kylin from Apache Kylin 2 through 2.6.6
- Apache Kylin from Apache Kylin 3 through 3.1.2
Description
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.
References
Credits
- jinchen sheng jincsheng@gmail.com
Apache Kylin unsafe class loading
CVE-2021-31522 [CVE] [CVE json] [OSV json]
Last updated: 2022-01-06T12:28:58.641Z
Affected
- Apache Kylin from Apache Kylin 2 through 2.6.6
- Apache Kylin from Apache Kylin 3 through 3.1.2
- Apache Kylin from Apache Kylin 4 through 4.0.0
Description
Kylin can receive user input and load any class through Class.forName(…). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
References
Credits
- bo yu forhaby0@gmail.com
Improper Access Control to Streaming Coordinator & SSRF
CVE-2021-27738 [CVE] [CVE json] [OSV json]
Last updated: 2022-01-06T12:26:35.086Z
Affected
- Apache Kylin from Apache Kylin 3 before 3.1.2
Description
All request mappings in StreamingCoordinatorController.java handling /kylin/api/streaming_coordinator/* REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator.
For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved.
This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.
References
Credits
- Wei Lin Ngo ngo.weilin@starlabs.sg