CVE-2020-13926
Description
Apache Kylin versions 2.0 to 3.0.1 are vulnerable to SQL injection via a REST API that overwrites system configurations used in Hive SQL segment building.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Kylin versions 2.0 to 3.0.1 are vulnerable to SQL injection via a REST API that overwrites system configurations used in Hive SQL segment building.
Root
Cause
Apache Kylin concatenates and executes a Hive SQL statement via Hive CLI or beeline when building a new segment. Part of the HQL is derived from system configurations, which can be overwritten by a certain REST API. This design allows an attacker to inject malicious SQL into the Hive query, leading to SQL injection [1][2].
Exploitation
An attacker with network access to the Kylin REST API can overwrite the system configuration values that are incorporated into the Hive SQL. The vulnerability does not require prior authentication if the REST API endpoint is exposed, though the exact prerequisites are not detailed in the sources. The injection occurs during the segment building process, which is a routine operation in Kylin [1][2].
Impact
Successful exploitation enables the attacker to execute arbitrary Hive SQL commands. This could result in unauthorized reading, modification, or deletion of data stored in Hive, potentially compromising the integrity and confidentiality of the underlying data warehouse [1][2].
Mitigation
The vulnerability affects all Kylin versions after 2.0 up to 3.0.1. Users are advised to upgrade to version 3.1.0, which contains the fix. No workarounds are mentioned in the available references [2].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylin-server-baseMaven | < 3.1.0 | 3.1.0 |
Affected products
2- Kylin/Kylin Hivedescription
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-hx5g-8hq2-8x4wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2020-13926ghsaADVISORY
- lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf%40%3Ccommits.kylin.apache.org%3Emitremailing-listx_refsource_MLIST
- lists.apache.org/thread.html/r021baf9d8d4ae41e8c8332c167c4fa96c91b5086563d9be55d2d7acf@%3Ccommits.kylin.apache.org%3EghsaWEB
- lists.apache.org/thread.html/r63d5663169e866d44ff9250796193337cff7d9cf61cc3839e86163fd%40%3Cuser.kylin.apache.org%3Eghsax_refsource_MISCWEB
- snyk.io/vuln/SNYK-JAVA-ORGAPACHEKYLIN-584374ghsaWEB
News mentions
0No linked articles in our index yet.