Improper Access Control to Streaming Coordinator & SSRF
Description
All request mappings in StreamingCoordinatorController.java handling /kylin/api/streaming_coordinator/* REST API endpoints did not include any security checks, which allowed an unauthenticated user to issue arbitrary requests, such as assigning/unassigning of streaming cubes, creation/modification and deletion of replica sets, to the Kylin Coordinator. For endpoints accepting node details in HTTP message body, unauthenticated (but limited) server-side request forgery (SSRF) can be achieved. This issue affects Apache Kylin Apache Kylin 3 versions prior to 3.1.2.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Unauthenticated users could issue arbitrary requests to Apache Kylin 3.x Streaming Coordinator REST APIs, including SSRF, prior to version 3.1.2.
Vulnerability
All request mappings in StreamingCoordinatorController.java handling /kylin/api/streaming_coordinator/* REST API endpoints in Apache Kylin 3.x prior to version 3.1.2 lack any security checks [1][3]. This allows an unauthenticated attacker to issue arbitrary requests to the Kylin Coordinator, such as assigning or unassigning streaming cubes, and creating, modifying, or deleting replica sets. For endpoints that accept node details in the HTTP message body, this can lead to unauthenticated (but limited) server-side request forgery (SSRF) [1][3].
Exploitation
An attacker needs only network access to the Kylin Coordinator HTTP endpoint. No authentication or user interaction is required [1][3]. The attacker can issue HTTP requests to the exposed endpoints under /kylin/api/streaming_coordinator/* to perform operations like assigning/unassigning streaming cubes or creating/modifying/deleting replica sets. For endpoints that accept node details in the message body, the attacker can craft requests that trigger a limited SSRF, allowing interactions with internal services [1][3].
Impact
Successful exploitation allows an unauthenticated attacker to manipulate streaming cube assignments and replica set configurations, disrupting or corrupting streaming data processing in Kylin [1][3]. The SSRF capability, while limited, can be used to probe or interact with internal network resources [1][3]. The compromise primarily affects availability and integrity of the streaming coordination functionality; no elevation of privileges is explicitly documented.
Mitigation
Apache Kylin users on 3.x versions should upgrade to version 3.1.3 or apply the patch from pull request #1646 on the Kylin GitHub repository [3][4]. The fix introduces proper authentication checks on the affected REST endpoints. No workaround is documented if upgrading or patching is not immediately possible [3][4].
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylinMaven | < 3.1.3 | 3.1.3 |
Affected products
2- Apache Software Foundation/Apache Kylinv5Range: Apache Kylin 3
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-wrx7-qgmj-mf2qghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-27738ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/06/6ghsamailing-listx_refsource_MLISTWEB
- github.com/apache/kylin/pull/1646ghsaWEB
- lists.apache.org/thread/vkohh0to2vzwymyb2x13fszs3cs3vd70ghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.