CVE-2025-61734

HIGH

Apache Kylin <5.0.2 - Info Disclosure

Title source: llm

Description

Files or Directories Accessible to External Parties vulnerability in Apache Kylin. You are fine as long as the Kylin's system and project admin access is well protected. This issue affects Apache Kylin: from 4.0.0 through 5.0.2. Users are recommended to upgrade to version 5.0.3, which fixes the issue.

References (2)

[Issue Tracking, Vendor Advisory] https://lists.apache.org/thread/z705g7sn3g0bkchlqbo1hz1tyqorn4d2

[Mailing List] http://www.openwall.com/lists/oss-security/2025/09/30/8

Scores

CVSS v3 7.5

EPSS 0.0008

EPSS Percentile 23.9%

Attack Vector NETWORK

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

CISA SSVC

Vulnrichment

Exploitation none

Automatable no

Technical Impact partial

Details

CWE

CWE-552

Status published

Products (8)

apache/kylin 4.0.0 - 5.0.3

org.apache.kylin/kylin 4.0.0 - 5.0.3Maven

org.apache.kylin/kylin-common-server 4.0.0 - 5.0.3Maven

org.apache.kylin/kylin-common-service 4.0.0 - 5.0.3Maven

org.apache.kylin/kylin-core-common 4.0.0 - 5.0.3Maven

org.apache.kylin/kylin-core-metadata 4.0.0 - 5.0.3Maven

org.apache.kylin/kylin-ops-server 4.0.0 - 5.0.3Maven

org.apache.kylin/kylin-server 4.0.0 - 5.0.3Maven

Published Oct 02, 2025

Tracked Since Feb 18, 2026