Apache Kyuubi security advisories

Security information for Apache Kyuubi

Reporting

Do you want disclose a potential security issue for Apache Kyuubi? Send your report to the Apache Kyuubi Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Unauthorized directory access due to missing path normalization

CVE-2025-66518 [CVE] [CVE json] [OSV json]

Last updated: 2026-01-05T08:46:25.781Z

Affected

  • Apache Kyuubi from 1.6.0 through 1.10.2

Description

Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config.

This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2.

Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue.

References

Credits

  • Hiroki Egawa (reporter)
  • Hiroki Egawa (remediation developer)