Apache Kyuubi security advisories
Security information for Apache Kyuubi
Reporting
Do you want disclose a potential security issue for Apache Kyuubi? Send your report to the Apache Kyuubi Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Unauthorized directory access due to missing path normalization
CVE-2025-66518 [CVE] [CVE json] [OSV json]
Last updated: 2026-01-05T08:46:25.781Z
Affected
- Apache Kyuubi from 1.6.0 through 1.10.2
Description
Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config.
This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2.
Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue.
References
Credits
- Hiroki Egawa (reporter)
- Hiroki Egawa (remediation developer)