GHSA-9rx7-cp4p-rwx4
Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Network-reachable REST API (AV:N, AC:L); requires authenticated low-privilege user (PR:L); read-only job metadata disclosure, no integrity or availability impact.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Lifecycle Timeline
3Description PRE-NVD
Articles & Coverage 1
AnalysisAI
Improper authorization in Apache Kylin's REST API job endpoints allows authenticated users to retrieve job metadata from projects they are not authorized to access. The JobController.getJobList and JobController.getJobDetail endpoints lack project-scoped permission verification, meaning any authenticated user can query build job information across project boundaries within a shared Kylin deployment. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires a valid authenticated session on the Apache Kylin instance - the attacker must hold any valid user account in the Kylin deployment, but does not need elevated privileges or access to the target project. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | No CVSS vector or EPSS score is provided for this CVE at time of analysis - the official NVD entry carries no score, and Apache's own classification is 'important'. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An authenticated user with access to Project A in a shared Kylin deployment issues a direct REST API call to `GET /kylin/api/jobs` or `/kylin/api/jobs/{jobId}` with a job identifier or project name belonging to Project B, to which they have no assigned permissions. Because the API omits project-scoped authorization, it returns the job details - including data source references, model names, build parameters, and timestamps - for Project B's pipelines. … |
| Remediation | Vendor-released patch: Apache Kylin 5.0.4, which adds project permission verification to the `JobController.getJobList` and `JobController.getJobDetail` REST API endpoints. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all Apache Kylin deployments and identify instances running versions 4.0-5.0.3. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the
OS command injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to execute arbitrary operating-system c
SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API
Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. Rated critic
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configura
Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is f
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then exe
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.
Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability i
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. Rated high severity (CVSS 8.8), this v
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run m
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin
Same technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43665