CVE-2025-66518
Unknown Unknown - Not Provided
Local File Access Bypass in Apache Kyuubi Server

Publication date: 2026-01-05

Last updated on: 2026-01-05

Assigner: Apache Software Foundation

Description
Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-01-05
Last Modified
2026-01-05
Generated
2026-06-16
AI Q&A
2026-01-05
EPSS Evaluated
2026-06-15
NVD
CVE-2025-66518
EUVD
EUVD-2026-0819
Affected Vendors & Products
Showing 2 associated CPEs
Vendor Product Version / Range
apache kyuubi From 1.6.0 (inc) to 1.10.2 (inc)
apache kyuubi 1.10.3
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-27 The product uses external input to construct a pathname that should be within a restricted directory, but it does not properly neutralize multiple internal "../" sequences that can resolve to a location that is outside of that directory.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability allows any client who can access the Apache Kyuubi Server via Kyuubi frontend protocols to bypass the server-side configuration 'kyuubi.session.local.dir.allow.list'. This means the client can use local files that are not listed or allowed by the server configuration, potentially accessing unauthorized local files.

Impact Analysis

The impact of this vulnerability is that unauthorized clients can access local files on the server that should be restricted by the server configuration. This can lead to exposure of sensitive data, unauthorized file access, and potential compromise of the server environment.

Mitigation Strategies

Users are recommended to upgrade Apache Kyuubi to version 1.10.3 or higher, which fixes the issue.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2025-66518. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart