Mysql JDBC Connector Deserialize RCE
Description
Apache Kylin allows users to read data from other database systems using JDBC. The MySQL JDBC driver supports certain properties, which, if left unmitigated, can allow an attacker to execute arbitrary code from a hacker-controlled malicious MySQL server within Kylin server processes. This issue affects Apache Kylin 2 version 2.6.6 and prior versions; Apache Kylin 3 version 3.1.2 and prior versions.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Kylin versions 2.6.6 and earlier, and 3.1.2 and earlier, allow remote code execution via a malicious MySQL JDBC connection.
Vulnerability
Apache Kylin versions 2.6.6 and prior, and 3.1.2 and prior, contain a vulnerability where the MySQL JDBC driver processes certain properties that can be exploited by an attacker to execute arbitrary code. The issue affects Kylin 2.x and 3.x when connecting to a MySQL database. [1][3]
Exploitation
An attacker must control a malicious MySQL server and induce a Kylin server to connect to it via JDBC. The MySQL JDBC driver then deserializes attacker-controlled data, leading to remote code execution within the Kylin server process. No authentication or user interaction beyond initiating the connection is required. [1][3]
Impact
Successful exploitation allows the attacker to execute arbitrary code on the Kylin server, potentially leading to full compromise of the server and access to sensitive data. The attack results in remote code execution. [1][3]
Mitigation
Users should upgrade to Apache Kylin 3.1.3 or apply the patch available at GitHub pull request #1694. No workaround is documented. [3]
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylinMaven | < 3.1.3 | 3.1.3 |
Affected products
2- Apache Software Foundation/Apache Kylinv5Range: Apache Kylin 2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-5429-pjww-7675ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-36774ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/01/06/5ghsamailing-listx_refsource_MLISTWEB
- github.com/apache/kylin/pull/1646ghsaWEB
- lists.apache.org/thread/lchpcvoolc6w8zc6vo1wstk8zbfqv2owghsax_refsource_MISCWEB
News mentions
0No linked articles in our index yet.