Skip to main content

Apache Kylin CVE-2026-62393

| EUVDEUVD-2026-43665 MEDIUM
Improper Handling of Insufficient Permissions or Privileges (CWE-280)
4.3
CVSS 3.1 · NVD
Share

Severity by source

NVD PRIMARY
4.3 MEDIUM
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
vuln.today AI
4.3 MEDIUM

Network-reachable REST API (AV:N, AC:L); requires authenticated low-privilege user (PR:L); read-only job metadata disclosure, no integrity or availability impact.

3.1 AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
4.0 AV:N/AC:L/AT:N/PR:L/UI:N/VC:L/VI:N/VA:N/SC:N/SI:N/SA:N

Primary rating from NVD.

CVSS VectorNVD

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
Low
User Interaction
None
Scope
Unchanged
Confidentiality
Low
Integrity
None
Availability
None

Lifecycle Timeline

3
CVSS changed
Jul 14, 2026 - 17:07 NVD
4.3 (MEDIUM)
Analysis Generated
Jul 14, 2026 - 04:16 vuln.today
CVE Published
Jul 14, 2026 - 04:03 oss-security
CRITICAL

Description PRE-NVD

Disclosed via oss-security. NVD scoring and full description are pending.

AnalysisAI

Improper authorization in Apache Kylin's REST API job endpoints allows authenticated users to retrieve job metadata from projects they are not authorized to access. The JobController.getJobList and JobController.getJobDetail endpoints lack project-scoped permission verification, meaning any authenticated user can query build job information across project boundaries within a shared Kylin deployment. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Obtain valid Kylin user credentials
Delivery
Authenticate to Kylin REST API
Exploit
Query getJobList or getJobDetail with cross-project job ID
Execution
Receive unauthorized job metadata from target project
Impact
Harvest pipeline/model/data source details

Vulnerability AssessmentAI

Exploitation Exploitation requires a valid authenticated session on the Apache Kylin instance - the attacker must hold any valid user account in the Kylin deployment, but does not need elevated privileges or access to the target project. … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment No CVSS vector or EPSS score is provided for this CVE at time of analysis - the official NVD entry carries no score, and Apache's own classification is 'important'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An authenticated user with access to Project A in a shared Kylin deployment issues a direct REST API call to `GET /kylin/api/jobs` or `/kylin/api/jobs/{jobId}` with a job identifier or project name belonging to Project B, to which they have no assigned permissions. Because the API omits project-scoped authorization, it returns the job details - including data source references, model names, build parameters, and timestamps - for Project B's pipelines. …
Remediation Vendor-released patch: Apache Kylin 5.0.4, which adds project permission verification to the `JobController.getJobList` and `JobController.getJobDetail` REST API endpoints. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all Apache Kylin deployments and identify instances running versions 4.0-5.0.3. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

More in Kylin

View all
CVE-2020-1956 HIGH POC
8.8 May 22

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the

CVE-2026-62392 CRITICAL
9.8 Jul 14

OS command injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to execute arbitrary operating-system c

CVE-2026-62390 CRITICAL
9.8 Jul 14

SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API

CVE-2022-44621 CRITICAL
9.8 Dec 30

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. Rated critic

CVE-2022-24697 CRITICAL
9.8 Oct 13

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configura

CVE-2020-13926 CRITICAL
9.8 Jul 14

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is f

CVE-2020-13925 CRITICAL
9.8 Jul 14

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then exe

CVE-2020-13937 MEDIUM POC
5.3 Oct 19

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.

CVE-2024-23590 CRITICAL
9.1 Nov 04

Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability i

CVE-2022-43396 HIGH
8.8 Dec 30

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. Rated high severity (CVSS 8.8), this v

CVE-2020-1937 HIGH
8.8 Feb 24

Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run m

CVE-2025-61733 HIGH
7.5 Oct 02

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin

Share

CVE-2026-62393 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy