CVE-2026-62390
Apache Software Foundation · Apache Kylin
Apache Kylin is susceptible to an SQL injection vulnerability via a backend API used for refreshing table catalogs.
Executive summary
An unauthenticated SQL injection vulnerability in Apache Kylin allows attackers to execute arbitrary database commands, posing a risk of total system compromise.
Vulnerability
The vulnerability stems from improper neutralization of special elements used in SQL commands within the backend API. An attacker can inject malicious SQL code during the table catalog refresh process, which is then executed by the database.
Business impact
This SQL injection flaw permits unauthorized access to backend data and potentially allows for full control over the database environment. Given the 9.8 CVSS score, the risk of data exfiltration, unauthorized modification, or complete service disruption is extreme, necessitating immediate remediation to maintain the security posture of analytical systems.
Remediation
Immediate Action: Upgrade to Apache Kylin version 5.0.4 or later immediately to resolve the vulnerable code path.
Proactive Monitoring: Monitor database query logs for evidence of anomalous SQL structures or unauthorized attempts to access or modify table catalogs.
Compensating Controls: Deploy WAF rules specifically designed to detect and block SQL injection patterns targeting the Apache Kylin API endpoints.
Exploitation status
Public Exploit Available: Unknown.
Analyst recommendation
The severity of this SQL injection vulnerability necessitates an immediate upgrade to the fixed version. Organizations must treat this as a high-priority task to ensure that their data infrastructure remains protected against potentially automated exploitation.