Apache Kylin unsafe class loading
Description
Kylin can receive user input and load any class through Class.forName(...). This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions; Apache Kylin 4 version 4.0.0 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Kylin 2.x, 3.x, and 4.x allow arbitrary class loading via Class.forName, enabling remote code execution.
Vulnerability
Apache Kylin versions 2.6.6 and prior, 3.1.2 and prior, and 4.0.0 and prior accept user input that is passed to Class.forName(...), allowing an attacker to load arbitrary Java classes [2][3]. No special configuration is required; the vulnerable code path is reachable through normal application input handling.
Exploitation
An attacker with network access to a Kylin instance can send crafted input that specifies a fully qualified class name. The server will then load and potentially instantiate that class via Class.forName, bypassing intended restrictions [3]. No authentication or user interaction is required.
Impact
Successful exploitation can lead to arbitrary class loading, which may result in remote code execution (RCE) in the context of the Kylin server process. This can compromise the confidentiality, integrity, and availability of the system and data [2][3].
Mitigation
Users of Kylin 2.x and 3.x should upgrade to version 3.1.3 or apply the patch at [1]. Users of Kylin 4.x should upgrade to version 4.0.1 or apply the patch at [4]. No other workaround is documented in the references.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylinMaven | < 3.1.3 | 3.1.3 |
org.apache.kylin:kylinMaven | >= 4.0.0, < 4.0.1 | 4.0.1 |
Affected products
2- Apache Software Foundation/Apache Kylinv5Range: Apache Kylin 2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
6- github.com/advisories/GHSA-q656-g2x3-8cghghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-31522ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/06/4ghsamailing-listx_refsource_MLISTWEB
- github.com/apache/kylin/pull/1695ghsaWEB
- github.com/apache/kylin/pull/1763ghsaWEB
- lists.apache.org/thread/hh5crx3yr701zd8wtpqo1mww2rlkvznwghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.