High severityNVD Advisory· Published Oct 2, 2025· Updated Feb 26, 2026
Apache Kylin: Authentication bypass
CVE-2025-61733
Description
Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin.
This issue affects Apache Kylin: from 4.0.0 through 5.0.2.
Users are recommended to upgrade to version 5.0.3, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Kylin versions 4.0.0 through 5.0.2 expose an unauthenticated user update API endpoint, allowing authentication bypass.
Vulnerability
Description
CVE-2025-61733 is an authentication bypass vulnerability in Apache Kylin, affecting versions 4.0.0 through 5.0.2. The root cause is that the endpoint /api/user/update_user was inadvertently configured with access="permitAll" in the Spring Security access control rules, meaning no authentication was required to call it [1][3]. This misconfiguration allowed any unauthenticated attacker to modify user accounts via this API path.
Exploitation and
Attack Surface
The vulnerable endpoint is exposed over HTTP/HTTPS as part of the Kylin REST API. An attacker can send a crafted request to /api/user/update_user without any credentials or session token. The attack does not require any special network position beyond reachability of the Kylin server. Because the endpoint is for updating user information, an attacker could potentially change user roles, passwords, or other profile attributes assigned to the authenticated user context—though in this case no authentication is needed at all [1][4].
Impact
By exploiting this flaw, an unauthenticated attacker could escalate privileges by modifying their own user record or creating/modifying other users if the endpoint also allows such operations. This effectively bypasses all authentication mechanisms, granting the attacker administrative control over the Kylin instance, including access to sensitive data and system configurations [2][3].
Mitigation
The fix was released in Apache Kylin version 5.0.3, which removes the permitAll rule for the update_user endpoint and requires proper authentication [1][3][4]. Users are strongly advised to upgrade to 5.0.3 or later. As of the publication date, no workarounds have been documented; applying the patch or upgrading is the only recommended action.
References
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.kylin:kylinMaven | >= 4.0.0, < 5.0.3 | 5.0.3 |
org.apache.kylin:kylin-core-commonMaven | >= 4.0.0, < 5.0.3 | 5.0.3 |
Affected products
2- Apache Software Foundation/Apache Kylinv5Range: 4.0.0
Patches
118 files changed · +9 −45
src/common-booter/src/main/resources/kylinSecurity.xml+0 −1 modified@@ -252,7 +252,6 @@ <scr:intercept-url pattern="/api/kg/health" access="permitAll"/> <scr:intercept-url pattern="/api/kg/health/**" access="permitAll"/> <scr:intercept-url pattern="/api/monitor/alert" access="hasRole('ROLE_ADMIN')"/> - <scr:intercept-url pattern="/api/user/update_user" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup_storage" access="permitAll"/> <scr:intercept-url pattern="/api/epoch" access="permitAll"/>
src/common-server/src/main/java/org/apache/kylin/rest/config/SecurityConfig.java+1 −1 modified@@ -74,7 +74,7 @@ protected void configure(HttpSecurity http) throws Exception { http.authorizeRequests() .antMatchers("/api/streaming_jobs/spark", "/api/streaming_jobs/stats", "/api/streaming_jobs/dataflow/**", "/api/epoch/maintenance_mode", "/api/health", "/api/health/**", - "/api/prometheus", "/api/monitor/spark/prometheus", "/api/user/update_user", "/api/metastore/cleanup", + "/api/prometheus", "/api/monitor/spark/prometheus", "/api/metastore/cleanup", "/api/metastore/cleanup_storage", "/api/epoch", "/api/broadcast/**", "/api/config/is_cloud", "/api/system/license/file", "/api/system/license/content", "/api/system/license/trial", "/api/system/license", "/api/system/diag/progress", "/api/system/roll_event_log",
src/common-service/src/test/resources/kylinSecurity.xml+0 −1 modified@@ -243,7 +243,6 @@ <scr:intercept-url pattern="/api/kg/health" access="permitAll"/> <scr:intercept-url pattern="/api/kg/health/**" access="permitAll"/> <scr:intercept-url pattern="/api/monitor/alert" access="hasRole('ROLE_ADMIN')"/> - <scr:intercept-url pattern="/api/user/update_user" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup_storage" access="permitAll"/> <scr:intercept-url pattern="/api/epoch" access="permitAll"/>
src/core-common/src/main/java/org/apache/kylin/tool/restclient/RestClient.java+0 −21 modified@@ -160,27 +160,6 @@ public HttpResponse query(String sql, String project) throws IOException { return client.execute(post); } - public HttpResponse updateUser(Object object) throws IOException { - String url = baseUrl + "/user/update_user"; - HttpPost post = newPost(url); - post.addHeader(ROUTED, "true"); - String jsonMsg = JsonUtil.writeValueAsIndentString(object); - post.setEntity(new StringEntity(jsonMsg, "UTF-8")); - HttpResponse response = null; - try { - response = client.execute(post); - if (response.getStatusLine().getStatusCode() != HttpStatus.SC_OK) { - String msg = EntityUtils.toString(response.getEntity()); - logger.error("Invalid response {} with update user {}\n{}", response.getStatusLine().getStatusCode(), - url, msg); - } - } finally { - cleanup(post, response); - tryCatchUp(); - } - return response; - } - public HttpResponse updateSourceUsage() throws IOException { String url = baseUrl + "/broadcast/capacity/refresh_all"; HttpPut put = newPut(url);
src/data-loading-booter/src/main/resources/config/init_min.properties+1 −1 modified@@ -491,7 +491,7 @@ kyligence.kyiam.sdk.tenant-id=${TENANT_ID} spring.session.store-type=none spring.cloud.nacos.config.server-addr=${NACOS_CONFIG_SERVER_ADDR_NO_HTTP} spring.cloud.nacos.discovery.service=data-loading -kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/user/update_user,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/streaming_jobs/spark,/kylin/api/streaming_jobs/stats,/api/streaming_jobs/dataflow/**,/kylin/api/jobs/spark,/kylin/api/jobs/stage/status,/kylin/api/jobs/error,/api/jobs/wait_and_run_time,/kylin/api/system/clean_sparder_event_log +kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/streaming_jobs/spark,/kylin/api/streaming_jobs/stats,/api/streaming_jobs/dataflow/**,/kylin/api/jobs/spark,/kylin/api/jobs/stage/status,/kylin/api/jobs/error,/api/jobs/wait_and_run_time,/kylin/api/system/clean_sparder_event_log kyligence.kyiam.sdk.security.gateway-path-filter.forbid-url=/kylin/api/job_delegate/** kylin.engine.spark-conf.spark.kubernetes.executor.podNamePrefix=sparder-data-loading
src/data-loading-booter/src/main/resources/config/init.properties+1 −1 modified@@ -494,7 +494,7 @@ kyligence.kyiam.sdk.tenant-id=${TENANT_ID} spring.session.store-type=none spring.cloud.nacos.config.server-addr=${NACOS_CONFIG_SERVER_ADDR_NO_HTTP} spring.cloud.nacos.discovery.service=data-loading -kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/user/update_user,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/streaming_jobs/spark,/kylin/api/streaming_jobs/stats,/api/streaming_jobs/dataflow/**,/kylin/api/jobs/spark,/kylin/api/jobs/stage/status,/kylin/api/jobs/error,/api/jobs/wait_and_run_time,/kylin/api/system/clean_sparder_event_log +kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/streaming_jobs/spark,/kylin/api/streaming_jobs/stats,/api/streaming_jobs/dataflow/**,/kylin/api/jobs/spark,/kylin/api/jobs/stage/status,/kylin/api/jobs/error,/api/jobs/wait_and_run_time,/kylin/api/system/clean_sparder_event_log kyligence.kyiam.sdk.security.gateway-path-filter.forbid-url=/kylin/api/job_delegate/** kylin.engine.spark-conf.spark.kubernetes.executor.podNamePrefix=sparder-data-loading
src/data-loading-booter/src/main/resources/kylinSecurity.xml+0 −1 modified@@ -252,7 +252,6 @@ <scr:intercept-url pattern="/api/kg/health" access="permitAll"/> <scr:intercept-url pattern="/api/kg/health/**" access="permitAll"/> <scr:intercept-url pattern="/api/monitor/alert" access="hasRole('ROLE_ADMIN')"/> - <scr:intercept-url pattern="/api/user/update_user" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup_storage" access="permitAll"/> <scr:intercept-url pattern="/api/epoch" access="permitAll"/>
src/metadata-server/src/main/java/org/apache/kylin/rest/controller/NUserController.java+0 −8 modified@@ -522,14 +522,6 @@ public EnvelopeResponse<UserDetails> authenticate() { return response; } - @ApiOperation(value = "updateUser", tags = { "MID" }) - @PostMapping(value = "/update_user") - @ResponseBody - public EnvelopeResponse<UserDetails> updateUserWithoutAuth(@RequestBody ManagedUser user) { - userService.updateUser(user); - return new EnvelopeResponse<>(KylinException.CODE_SUCCESS, null, ""); - } - @ApiOperation(value = "authentication", tags = { "MID" }) @GetMapping(value = "/authentication", produces = { HTTP_VND_APACHE_KYLIN_JSON, HTTP_VND_APACHE_KYLIN_V4_PUBLIC_JSON })
src/ops-booter/src/main/resources/config/init_min.properties+1 −1 modified@@ -457,7 +457,7 @@ kyligence.kyiam.sdk.tenant-id=${TENANT_ID} spring.session.store-type=none spring.cloud.nacos.config.server-addr=${NACOS_CONFIG_SERVER_ADDR_NO_HTTP} spring.cloud.nacos.discovery.service=ops -kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/user/update_user,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/system/clean_sparder_event_log +kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/system/clean_sparder_event_log kyligence.kyiam.sdk.security.gateway-path-filter.forbid-url=/kylin/api/job_delegate/** kylin.task.upload-gc-log-enabled=true
src/ops-booter/src/main/resources/config/init.properties+1 −1 modified@@ -456,7 +456,7 @@ kyligence.kyiam.sdk.tenant-id=${TENANT_ID} spring.session.store-type=none spring.cloud.nacos.config.server-addr=${NACOS_CONFIG_SERVER_ADDR_NO_HTTP} spring.cloud.nacos.discovery.service=ops -kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/user/update_user,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/system/clean_sparder_event_log +kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/system/clean_sparder_event_log kyligence.kyiam.sdk.security.gateway-path-filter.forbid-url=/kylin/api/job_delegate/** kylin.task.upload-gc-log-enabled=true
src/query-booter/src/main/resources/config/init_min.properties+1 −1 modified@@ -501,7 +501,7 @@ kyligence.kyiam.sdk.tenant-id=${TENANT_ID} spring.session.store-type=none spring.cloud.nacos.config.server-addr=${NACOS_CONFIG_SERVER_ADDR_NO_HTTP} spring.cloud.nacos.discovery.service=query -kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/user/update_user,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/system/clean_sparder_event_log +kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/system/clean_sparder_event_log kyligence.kyiam.sdk.security.gateway-path-filter.forbid-url=/kylin/api/job_delegate/** kylin.storage.columnar.spark-conf.spark.kubernetes.executor.podNamePrefix=sparder-query
src/query-booter/src/main/resources/config/init.properties+1 −1 modified@@ -506,7 +506,7 @@ kyligence.kyiam.sdk.tenant-id=${TENANT_ID} spring.session.store-type=none spring.cloud.nacos.config.server-addr=${NACOS_CONFIG_SERVER_ADDR_NO_HTTP} spring.cloud.nacos.discovery.service=query -kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/user/update_user,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/** +kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/** kyligence.kyiam.sdk.security.gateway-path-filter.forbid-url=/kylin/api/job_delegate/** kylin.storage.columnar.spark-conf.spark.kubernetes.executor.podNamePrefix=sparder-query
src/query-booter/src/main/resources/kylinSecurity.xml+0 −1 modified@@ -251,7 +251,6 @@ <scr:intercept-url pattern="/api/kg/health" access="permitAll"/> <scr:intercept-url pattern="/api/kg/health/**" access="permitAll"/> <scr:intercept-url pattern="/api/monitor/alert" access="hasRole('ROLE_ADMIN')"/> - <scr:intercept-url pattern="/api/user/update_user" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup_storage" access="permitAll"/> <scr:intercept-url pattern="/api/epoch" access="permitAll"/>
src/rec-booter/src/main/resources/config/init_min.properties+1 −1 modified@@ -475,7 +475,7 @@ kyligence.kyiam.sdk.tenant-id=${TENANT_ID} spring.session.store-type=none spring.cloud.nacos.config.server-addr=${NACOS_CONFIG_SERVER_ADDR_NO_HTTP} spring.cloud.nacos.discovery.service=smart -kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/user/update_user,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/system/clean_sparder_event_log +kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/system/clean_sparder_event_log kyligence.kyiam.sdk.security.gateway-path-filter.forbid-url=/kylin/api/job_delegate/** kylin.storage.columnar.spark-conf.spark.kubernetes.executor.podNamePrefix=sparder-smart
src/rec-booter/src/main/resources/config/init.properties+1 −1 modified@@ -475,7 +475,7 @@ kyligence.kyiam.sdk.tenant-id=${TENANT_ID} spring.session.store-type=none spring.cloud.nacos.config.server-addr=${NACOS_CONFIG_SERVER_ADDR_NO_HTTP} spring.cloud.nacos.discovery.service=smart -kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/user/update_user,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/system/clean_sparder_event_log +kyligence.kyiam.sdk.security.gateway-path-filter.ignore-url=/kylin/api/epoch/maintenance_mode,/kylin/api/prometheus,/kylin/api/metastore/cleanup,/kylin/api/metastore/cleanup_storage,/kylin/api/epoch,/kylin/api/config/is_cloud,/api/system/license/file,/kylin/api/system/license/content,/kylin/api/system/license/trial,/api/system/license,/kylin/api/system/diag/progress,/kylin/api/system/roll_event_log,/api/user/authentication*/**,/kylin/api/system/backup,/kylin/api/cubes/src/tables,/kylin/api/admin/public_config,/kylin/api/admin/instance_info,/kylin/api/projects,/kylin/api/system/license/info,/kylin/api/health,/kylin/api/health/**,/api/prometheus,/kylin/api/broadcast/**,/kylin/api/models/model_info,/kylin/api/**/metrics,/kylin/api/cache*/**,/kylin/api/system/clean_sparder_event_log kyligence.kyiam.sdk.security.gateway-path-filter.forbid-url=/kylin/api/job_delegate/** kylin.storage.columnar.spark-conf.spark.kubernetes.executor.podNamePrefix=sparder-smart
src/rec-booter/src/main/resources/kylinSecurity.xml+0 −1 modified@@ -252,7 +252,6 @@ <scr:intercept-url pattern="/api/kg/health" access="permitAll"/> <scr:intercept-url pattern="/api/kg/health/**" access="permitAll"/> <scr:intercept-url pattern="/api/monitor/alert" access="hasRole('ROLE_ADMIN')"/> - <scr:intercept-url pattern="/api/user/update_user" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup_storage" access="permitAll"/> <scr:intercept-url pattern="/api/epoch" access="permitAll"/>
src/server/src/main/resources/kylinSecurity.xml+0 −1 modified@@ -256,7 +256,6 @@ <scr:intercept-url pattern="/api/prometheus" access="permitAll"/> <scr:intercept-url pattern="/api/monitor/spark/prometheus" access="permitAll"/> <scr:intercept-url pattern="/api/monitor/alert" access="hasRole('ROLE_ADMIN')"/> - <scr:intercept-url pattern="/api/user/update_user" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup_storage" access="permitAll"/> <scr:intercept-url pattern="/api/epoch" access="permitAll"/>
src/streaming-service/src/test/resources/kylinSecurity.xml+0 −1 modified@@ -251,7 +251,6 @@ <scr:intercept-url pattern="/api/kg/health" access="permitAll"/> <scr:intercept-url pattern="/api/kg/health/**" access="permitAll"/> <scr:intercept-url pattern="/api/monitor/alert" access="hasRole('ROLE_ADMIN')"/> - <scr:intercept-url pattern="/api/user/update_user" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup" access="permitAll"/> <scr:intercept-url pattern="/api/metastore/cleanup_storage" access="permitAll"/> <scr:intercept-url pattern="/api/epoch" access="permitAll"/>
Vulnerability mechanics
Generated on May 9, 2026. Inputs: CWE entries + fix-commit diffs from this CVE's patches. Citations validated against bundle.
References
7- github.com/advisories/GHSA-mr9j-4j48-xcm2ghsaADVISORY
- lists.apache.org/thread/8wmcffly6gp50nmfw8j4w3hlmv843yo0ghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-61733ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/09/30/7ghsaWEB
- github.com/apache/kylin/commit/8b2cb8c71bd9885d70dad4f1a9822e38d9949b8cghsaWEB
- github.com/apache/kylin/pull/2336ghsaWEB
- issues.apache.org/jira/browse/KYLIN-6081ghsaWEB
News mentions
0No linked articles in our index yet.