Apache Kylin: Session fixation in web interface
Description
Session Fixation vulnerability in Apache Kylin.
This issue affects Apache Kylin: from 2.0.0 through 4.x.
Users are recommended to upgrade to version 5.0.0 or above, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Session fixation vulnerability in Apache Kylin's web interface allows an attacker to hijack authenticated sessions by pre-setting a session ID, affecting versions 2.0.0 through 4.x.
Vulnerability
Overview
CVE-2024-23590 is a session fixation vulnerability in the web interface of Apache Kylin, an open-source OLAP engine for big data. The flaw allows an attacker to fixate a session identifier before a legitimate user authenticates, enabling session hijacking after login. This issue affects Apache Kylin versions from 2.0.0 through 4.x [1][3].
Exploitation
An attacker can exploit this vulnerability by first obtaining or crafting a valid session ID (e.g., by visiting the Kylin web interface) and then tricking a victim into using that same session ID, for example via a crafted link or by setting the session cookie. When the victim logs in, the attacker's pre-set session becomes authenticated, granting the attacker access to the victim's session without needing credentials [3].
Impact
Successful exploitation allows an attacker to impersonate an authenticated user, gaining unauthorized access to the Kylin web interface and potentially sensitive data or administrative functions. The severity is rated as low, but the impact can be significant in environments where Kylin is used for critical analytics [1][3].
Mitigation
Apache has addressed this vulnerability in Kylin version 5.0.0. Users are strongly recommended to upgrade to 5.0.0 or later. No workarounds have been provided for earlier versions [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylinMaven | >= 2.0.0, < 5.0.0 | 5.0.0 |
Affected products
2- Apache Software Foundation/Apache Kylinv5Range: 2.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-752q-72qc-rc66ghsaADVISORY
- lists.apache.org/thread/7161154h0k6zygr9917qq0g95p39szmlghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-23590ghsaADVISORY
- www.openwall.com/lists/oss-security/2024/11/03/1ghsaWEB
News mentions
0No linked articles in our index yet.