Skip to main content

Kylin

17 CVEs product

Monthly

CVE-2026-62393 MEDIUM This Month

Improper authorization in Apache Kylin's REST API job endpoints allows authenticated users to retrieve job metadata from projects they are not authorized to access. The `JobController.getJobList` and `JobController.getJobDetail` endpoints lack project-scoped permission verification, meaning any authenticated user can query build job information across project boundaries within a shared Kylin deployment. Apache Kylin versions 4 through 5.0.3 are affected; no public exploit code or active exploitation has been identified at time of analysis.

Apache Authentication Bypass Kylin
NVD
CVSS 3.1
4.3
EPSS
0.5%
CVE-2026-62392 CRITICAL Act Now

OS command injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to execute arbitrary operating-system commands by supplying malicious job configuration parameters that a backend API passes unsanitized to the OS command line. Because Kylin runs as a distributed analytics engine, successful exploitation yields full host compromise with the privileges of the Kylin service account. Per the vendor CVSS (AV:N/PR:N), the flaw is scored as network-reachable and unauthenticated with high impact across confidentiality, integrity, and availability; no public exploit is identified at time of analysis, and it is not listed in CISA KEV.

Command Injection Apache Kylin
NVD
CVSS 3.1
9.8
EPSS
1.8%
CVE-2026-62390 CRITICAL Act Now

SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API used to refresh the table catalog, where untrusted input is concatenated into a dynamically generated SQL statement. The upstream CVSS 3.1 vector rates this as unauthenticated (PR:N) with full confidentiality, integrity, and availability impact (9.8), enabling database read/write and potentially further compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi Apache Kylin
NVD
CVSS 3.1
9.8
EPSS
0.7%
CVE-2025-61735 Maven HIGH PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

SSRF Apache Kylin
NVD GitHub
CVSS 3.1
7.3
EPSS
0.1%
CVE-2025-61734 Maven HIGH PATCH This Week

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

Information Disclosure Path Traversal Apache Kylin
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-61733 Maven HIGH PATCH This Week

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

Authentication Bypass Apache Kylin
NVD GitHub
CVSS 3.1
7.5
EPSS
0.1%
CVE-2025-30067 Maven HIGH PATCH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Apache Code Injection Kylin
NVD
CVSS 3.1
7.2
EPSS
0.3%
CVE-2024-48944 Maven MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Kylin
NVD
CVSS 3.1
6.5
EPSS
0.1%
CVE-2024-23590 Maven CRITICAL PATCH Act Now

Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Session Fixation Information Disclosure Kylin
NVD
CVSS 3.1
9.1
EPSS
0.6%
CVE-2022-44621 Maven CRITICAL PATCH Act Now

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Command Injection Kylin
NVD
CVSS 3.1
9.8
EPSS
3.0%
CVE-2022-43396 Maven HIGH PATCH This Week

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Kylin
NVD
CVSS 3.1
8.8
EPSS
56.8%
CVE-2022-24697 Maven CRITICAL PATCH Act Now

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Kylin
NVD
CVSS 3.1
9.8
EPSS
84.8%
CVE-2020-13937 Maven MEDIUM POC PATCH THREAT This Month

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Kylin
NVD
CVSS 3.1
5.3
EPSS
78.3%
CVE-2020-13926 Maven CRITICAL PATCH Act Now

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Kylin
NVD
CVSS 3.1
9.8
EPSS
1.9%
CVE-2020-13925 Maven CRITICAL PATCH Act Now

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Kylin
NVD
CVSS 3.1
9.8
EPSS
19.9%
CVE-2020-1956 Maven HIGH POC KEV PATCH THREAT This Week

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache Command Injection Kylin
NVD
CVSS 3.1
8.8
EPSS
97.3%
CVE-2020-1937 Maven HIGH PATCH This Week

Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Kylin
NVD
CVSS 3.1
8.8
EPSS
2.7%
EPSS 0% CVSS 4.3
MEDIUM This Month

Improper authorization in Apache Kylin's REST API job endpoints allows authenticated users to retrieve job metadata from projects they are not authorized to access. The `JobController.getJobList` and `JobController.getJobDetail` endpoints lack project-scoped permission verification, meaning any authenticated user can query build job information across project boundaries within a shared Kylin deployment. Apache Kylin versions 4 through 5.0.3 are affected; no public exploit code or active exploitation has been identified at time of analysis.

Apache Authentication Bypass Kylin
NVD
EPSS 2% CVSS 9.8
CRITICAL Act Now

OS command injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to execute arbitrary operating-system commands by supplying malicious job configuration parameters that a backend API passes unsanitized to the OS command line. Because Kylin runs as a distributed analytics engine, successful exploitation yields full host compromise with the privileges of the Kylin service account. Per the vendor CVSS (AV:N/PR:N), the flaw is scored as network-reachable and unauthenticated with high impact across confidentiality, integrity, and availability; no public exploit is identified at time of analysis, and it is not listed in CISA KEV.

Command Injection Apache Kylin
NVD
EPSS 1% CVSS 9.8
CRITICAL Act Now

SQL injection in Apache Kylin (versions 4 through 5.0.3) allows attackers to inject arbitrary SQL through a backend API used to refresh the table catalog, where untrusted input is concatenated into a dynamically generated SQL statement. The upstream CVSS 3.1 vector rates this as unauthenticated (PR:N) with full confidentiality, integrity, and availability impact (9.8), enabling database read/write and potentially further compromise. There is no public exploit identified at time of analysis and it is not listed in CISA KEV.

SQLi Apache Kylin
NVD
EPSS 0% CVSS 7.3
HIGH PATCH This Week

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. You are fine as long as the Kylin's system and project admin access is well protected. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

SSRF Apache Kylin
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

Information Disclosure Path Traversal Apache +1
NVD GitHub
EPSS 0% CVSS 7.5
HIGH PATCH This Week

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

Authentication Bypass Apache Kylin
NVD GitHub
EPSS 0% CVSS 7.2
HIGH PATCH This Week

Improper Control of Generation of Code ('Code Injection') vulnerability in Apache Kylin. Rated high severity (CVSS 7.2), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

RCE Apache Code Injection +1
NVD
EPSS 0% CVSS 6.5
MEDIUM PATCH This Month

Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin. Rated medium severity (CVSS 6.5), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

Apache SSRF Kylin
NVD
EPSS 1% CVSS 9.1
CRITICAL PATCH Act Now

Session Fixation vulnerability in Apache Kylin.0.0 through 4.x. Rated critical severity (CVSS 9.1), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Session Fixation Information Disclosure +1
NVD
EPSS 3% CVSS 9.8
CRITICAL PATCH Act Now

Diagnosis Controller miss parameter validation, so user may attacked by command injection via HTTP Request. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity.

Command Injection Kylin
NVD
EPSS 57% CVSS 8.8
HIGH PATCH This Week

In the fix for CVE-2022-24697, a blacklist is used to filter user input commands. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity.

Authentication Bypass Kylin
NVD
EPSS 85% CVSS 9.8
CRITICAL PATCH Act Now

Kylin's cube designer function has a command injection vulnerability when overwriting system parameters in the configuration overwrites menu. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. This OS Command Injection vulnerability could allow attackers to execute arbitrary operating system commands on the host.

Command Injection Kylin
NVD
EPSS 78% CVSS 5.3
MEDIUM POC PATCH THREAT This Month

Apache Kylin 2.0.0, 2.1.0, 2.2.0, 2.3.0, 2.3.1, 2.3.2, 2.4.0, 2.4.1, 2.5.0, 2.5.1, 2.5.2, 2.6.0, 2.6.1, 2.6.2, 2.6.3, 2.6.4, 2.6.5, 2.6.6, 3.0.0-alpha, 3.0.0-alpha2, 3.0.0-beta, 3.0.0, 3.0.1, 3.0.2,. Rated medium severity (CVSS 5.3), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Apache Information Disclosure Kylin
NVD
EPSS 2% CVSS 9.8
CRITICAL PATCH Act Now

Kylin concatenates and executes a Hive SQL in Hive CLI or beeline when building a new segment; some part of the HQL is from system configurations, while the configuration can be overwritten by. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

SQLi Kylin
NVD
EPSS 20% CVSS 9.8
CRITICAL PATCH Act Now

Similar to CVE-2020-1956, Kylin has one more restful API which concatenates the API inputs into OS commands and then executes them on the server; while the reported API misses necessary input. Rated critical severity (CVSS 9.8), this vulnerability is remotely exploitable, no authentication required, low attack complexity. No vendor patch available.

Command Injection Kylin
NVD
EPSS 97% CVSS 8.8
HIGH POC KEV PATCH THREAT This Week

Apache Kylin 2.3.0, and releases up to 2.6.5 and 3.0.1 has some restful apis which will concatenate os command with the user input string, a user is likely to be able to execute any os command. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. Public exploit code available.

Apache Command Injection Kylin
NVD
EPSS 3% CVSS 8.8
HIGH PATCH This Week

Kylin has some restful apis which will concatenate SQLs with the user input string, a user is likely to be able to run malicious database queries. Rated high severity (CVSS 8.8), this vulnerability is remotely exploitable, low attack complexity. No vendor patch available.

SQLi Kylin
NVD

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy