Apache Kylin Flaw: Authentication Bypass and SSRF Vulnerabilities Found in Big Data Platform

The Apache Software Foundation has published a new security advisory disclosing three vulnerabilities in Apache Kylin, a high-concurrency OLAP engine widely used for big data analytics. The vulnerabilities, tracked as CVE-2025-61733, CVE-2025-61734, and CVE-2025-61735, affect versions 4.0.0 through 5.0.2 and have now been patched in version 5.0.3.

CVE-2025-61733: Authentication Bypass

The most critical issue, CVE-2025-61733, is rated High severity. According to the advisory, it is an “Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin.”

This flaw could allow attackers to bypass authentication mechanisms entirely, potentially granting unauthorized access to sensitive data or administrative functions within Kylin environments. Given the platform’s role in large-scale analytics, exploitation of this vulnerability poses a significant risk to enterprises relying on Kylin for business intelligence.

CVE-2025-61734: Improper Restriction of File Read

The second flaw, CVE-2025-61734, is classified as Low severity but still poses risks in poorly secured environments. The advisory explains: “Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin’s system and project admin access is well protected.”

If exploited, attackers with sufficient access could retrieve sensitive files from the system, leading to data leakage or reconnaissance for further attacks.

CVE-2025-61735: Server-Side Request Forgery (SSRF)

The third flaw, CVE-2025-61735, is another Low severity issue involving Server-Side Request Forgery (SSRF). The advisory notes: “Server-Side Request Forgery (SSRF) vulnerability in Apache Kylin.”

SSRF vulnerabilities allow attackers to trick a vulnerable server into making requests to internal services or external systems, potentially exposing sensitive metadata or enabling lateral movement.

Mitigation and Upgrade Guidance

All three vulnerabilities affect Apache Kylin versions 4.0.0 through 5.0.2. Users are strongly advised to upgrade to version 5.0.3, which includes fixes for the issues.

Related Posts:

• Apache Kylin Command Injection Vulnerability
• Command injection in Apache Kylin
• Apache HTTP Server Hit by Triple Vulnerabilities – Users Urged to Update
• Microsoft Patches Four Critical Azure and Power Apps Vulnerabilities, Including CVSS 10 Privilege Escalation
• Apache HTTP Server 2.4.64 Released: Patches 8 Vulnerabilities, Including HTTP Splitting, SSRF & DoS