GHSA-92vx-x7gx-68cf
Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
SQLi via a backend catalog-refresh API most plausibly requires an authenticated operator session, so PR:L rather than the vendor's PR:N; network vector and full CIA impact retained for injection into backing SQL.
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
5Description PRE-NVD
AnalysisAI
SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API used to refresh the table catalog, where untrusted input is concatenated into a dynamically generated SQL statement. The upstream CVSS 3.1 vector rates this as unauthenticated (PR:N) with full confidentiality, integrity, and availability impact (9.8), enabling database read/write and potentially further compromise. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Exploitation requires reaching the specific Apache Kylin backend API that refreshes the table catalog and supplying attacker-controlled input that flows into the dynamically generated SQL statement; this catalog-refresh code path is the exact feature that must be invoked. … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The upstream CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N, C:H/I:H/A:H = 9.8) presents a worst-case, network-reachable, unauthenticated, low-complexity SQL injection with total impact. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker with network access to a Kylin instance's backend catalog-refresh API sends a crafted request containing SQL metacharacters in a table/catalog parameter; the value is concatenated into the generated SQL and executed against the backing data source, letting the attacker read, modify, or destroy data. Given AV:N/AC:L, exploitation is straightforward once the endpoint is reachable, though no public POC has been identified at time of analysis and reaching the backend API may require prior authentication depending on configuration. |
| Remediation | Vendor-released patch: upgrade to Apache Kylin 5.0.4, which fixes the SQL injection per the Apache advisory (https://issues.apache.org/jira/browse/KYLIN-6089 and https://seclists.org/oss-sec/2026/q3/134); this is the primary and recommended action for all deployments running versions 4 through 5.0.3. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: immediately identify and inventory all systems running Apache Kylin versions 4.x through 5.0.3, then isolate vulnerable instances from production networks or implement firewall rules restricting access to the table catalog refresh API endpoints to trusted internal networks only. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the
OS command injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to execute arbitrary operating-system c
Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. Rated critic
Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configura
Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is f
Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then exe
Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.
Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability i
In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. Rated high severity (CVSS 8.8), this v
Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run m
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin
Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's
Same weakness CWE-89 – SQL Injection
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-43660