Skip to main content

Apache Kylin CVE-2026-62390

| EUVDEUVD-2026-43660 CRITICAL
SQL Injection (CWE-89)
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

SQLi via a backend catalog-refresh API most plausibly requires an authenticated operator session, so PR:L rather than the vendor's PR:N; network vector and full CIA impact retained for injection into backing SQL.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jul 14, 2026 - 17:15 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 17:07 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 17:07 NVD
9.8 (CRITICAL)
Analysis Generated
Jul 14, 2026 - 04:16 vuln.today
CVE Published
Jul 14, 2026 - 03:10 oss-security
HIGH

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API used to refresh the table catalog, where untrusted input is concatenated into a dynamically generated SQL statement. The upstream CVSS 3.1 vector rates this as unauthenticated (PR:N) with full confidentiality, integrity, and availability impact (9.8), enabling database read/write and potentially further compromise. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Kylin backend catalog API
Delivery
Submit crafted table/catalog parameter
Exploit
Break out of generated SQL statement
Execution
Execute injected SQL on backing database
Impact
Exfiltrate or tamper with data

Vulnerability AssessmentAI

Exploitation Exploitation requires reaching the specific Apache Kylin backend API that refreshes the table catalog and supplying attacker-controlled input that flows into the dynamically generated SQL statement; this catalog-refresh code path is the exact feature that must be invoked. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The upstream CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H = 9.8) presents a worst-case, network-reachable, unauthenticated, low-complexity SQL injection with total impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker with network access to a Kylin instance's backend catalog-refresh API sends a crafted request containing SQL metacharacters in a table/catalog parameter; the value is concatenated into the generated SQL and executed against the backing data source, letting the attacker read, modify, or destroy data. Given AV:N/AC:L, exploitation is straightforward once the endpoint is reachable, though no public POC has been identified at time of analysis and reaching the backend API may require prior authentication depending on configuration.
Remediation Vendor-released patch: upgrade to Apache Kylin 5.0.4, which fixes the SQL injection per the Apache advisory (https://issues.apache.org/jira/browse/KYLIN-6089 and https://seclists.org/oss-sec/2026/q3/134); this is the primary and recommended action for all deployments running versions 4 through 5.0.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: immediately identify and inventory all systems running Apache Kylin versions 4.x through 5.0.3, then isolate vulnerable instances from production networks or implement firewall rules restricting access to the table catalog refresh API endpoints to trusted internal networks only. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Kylin

View all
CVE-2020-1956 HIGH POC
8.8 May 22

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the

CVE-2026-62392 CRITICAL
9.8 Jul 14

OS command injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to execute arbitrary operating-system c

CVE-2022-44621 CRITICAL
9.8 Dec 30

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. Rated critic

CVE-2022-24697 CRITICAL
9.8 Oct 13

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configura

CVE-2020-13926 CRITICAL
9.8 Jul 14

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is f

CVE-2020-13925 CRITICAL
9.8 Jul 14

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then exe

CVE-2020-13937 MEDIUM POC
5.3 Oct 19

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.

CVE-2024-23590 CRITICAL
9.1 Nov 04

Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability i

CVE-2022-43396 HIGH
8.8 Dec 30

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. Rated high severity (CVSS 8.8), this v

CVE-2020-1937 HIGH
8.8 Feb 24

Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run m

CVE-2025-61733 HIGH
7.5 Oct 02

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin

CVE-2025-61734 HIGH
7.5 Oct 02

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's

Share

CVE-2026-62390 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy