CVE-2026-62390
Undergoing Analysis Undergoing Analysis - In Progress

SQL Injection in Apache Kylin

Vulnerability report for CVE-2026-62390, including description, CVSS score, EPSS score, affected products, exploitability, helpful resources, and attack-flow context.

Publication date: 2026-07-14

Last updated on: 2026-07-14

Assigner: Apache Software Foundation

Description

Improper Neutralization of Special Elements used in an SQL Command ('SQL Injection') vulnerability in Apache Kylin. A backend API refreshing table catalog may cause the injection to the generated SQL. This issue affects Apache Kylin: from 4 through 5.0.3. Users are recommended to upgrade to version 5.0.4, which fixes the issue.

CVSS Scores

EPSS Scores

Probability:
Percentile:

Meta Information

Published
2026-07-14
Last Modified
2026-07-14
Generated
2026-07-14
AI Q&A
2026-07-14
EPSS Evaluated
N/A
NVD
EUVD

Affected Vendors & Products

Showing 1 associated CPE
Vendor Product Version / Range
apache kylin From 4 (inc) to 5.0.3 (inc)

Helpful Resources

Exploitability

CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-89 The product constructs all or part of an SQL command using externally-influenced input from an upstream component, but it does not neutralize or incorrectly neutralizes special elements that could modify the intended SQL command when it is sent to a downstream component. Without sufficient removal or quoting of SQL syntax in user-controllable inputs, the generated SQL query can cause those inputs to be interpreted as SQL instead of ordinary user data.

Attack-Flow Graph

AI Quick Actions

Instant insights powered by AI
Executive Summary

This vulnerability is a SQL Injection flaw in Apache Kylin, specifically in versions 4 through 5.0.3. SQL Injection occurs when an attacker can insert or 'inject' malicious SQL code into a query, which can then be executed by the database.

In this case, the vulnerability exists in a backend API that refreshes table catalogs. When this API is used, it may improperly handle user-supplied input, allowing an attacker to inject malicious SQL commands into the generated SQL query. This could lead to unauthorized access to or manipulation of the database.

  • Affected software: Apache Kylin versions 4 through 5.0.3.
  • The vulnerability is tracked under the identifier KYLIN-6089.
  • Users are advised to upgrade to version 5.0.4 or later to fix the issue.
Impact Analysis

If you are using an affected version of Apache Kylin (versions 4 through 5.0.3), this vulnerability could have serious consequences for your system and data.

  • Unauthorized data access: An attacker could exploit this vulnerability to read sensitive data from your database, including user credentials, personal information, or other confidential data.
  • Data manipulation or deletion: The attacker could modify or delete data in your database, leading to data corruption or loss.
  • Privilege escalation: In some cases, SQL Injection can be used to gain administrative access to the database or even the underlying system.
  • System compromise: If the database is connected to other systems, the attacker might use this vulnerability as a stepping stone to compromise additional parts of your infrastructure.

The impact depends on the permissions of the database user and the sensitivity of the data stored in the database. If Apache Kylin is used in a critical environment, the consequences could be severe.

Compliance Impact

This vulnerability can have significant implications for compliance with various standards and regulations, depending on the type of data you handle and the industry you operate in.

  • GDPR (General Data Protection Regulation): If your database contains personal data of EU citizens, a SQL Injection vulnerability could lead to unauthorized access or exposure of this data. Under GDPR, this could be considered a data breach, potentially resulting in hefty fines (up to 4% of global annual revenue or €20 million, whichever is higher) and mandatory reporting to authorities and affected individuals.
  • HIPAA (Health Insurance Portability and Accountability Act): If your system handles protected health information (PHI) in the U.S., this vulnerability could lead to unauthorized access to PHI. This would be considered a breach under HIPAA, requiring notification to affected individuals, the Department of Health and Human Services, and possibly the media. It could also result in fines and corrective action plans.
  • PCI DSS (Payment Card Industry Data Security Standard): If your system processes, stores, or transmits credit card information, this vulnerability could lead to unauthorized access to cardholder data. Non-compliance with PCI DSS can result in fines, increased transaction fees, or even the loss of the ability to process credit card payments.
  • Other regulations: Depending on your industry and location, other regulations like SOX (Sarbanes-Oxley Act), FISMA (Federal Information Security Management Act), or industry-specific standards may also be impacted. These regulations often require the protection of sensitive data and the implementation of secure systems.

To maintain compliance, it is crucial to address this vulnerability promptly by upgrading to the fixed version of Apache Kylin (5.0.4 or later) and ensuring that your systems are secure against such attacks.

Detection Guidance

Detecting this SQL Injection vulnerability in Apache Kylin requires checking for the affected versions and monitoring for suspicious activity in the backend API responsible for refreshing table catalogs.

  • Verify the installed version of Apache Kylin. If it is between 4 and 5.0.3, the system is vulnerable. You can check the version by running the following command if Kylin provides a version check utility: 'kylin.sh version' or by inspecting the installation directory for version details.
  • Monitor network traffic or logs for unusual SQL queries originating from the Kylin backend API, particularly those involving table catalog refresh operations. Tools like Wireshark or log analyzers can help identify suspicious SQL patterns.
  • Review Kylin logs for errors or unexpected SQL statements generated during table catalog refreshes. Look for anomalies in the 'kylin.log' or related log files.
  • Use vulnerability scanning tools that support CVE detection, such as Nessus or OpenVAS, to scan for CVE-2026-62390 in your environment.
Mitigation Strategies

The primary mitigation for this vulnerability is to upgrade Apache Kylin to a fixed version. If upgrading is not immediately possible, consider the following steps to reduce risk.

  • Upgrade Apache Kylin to version 5.0.4 or later, as this version contains the fix for the SQL Injection vulnerability. Follow the official Apache Kylin upgrade guide for instructions.
  • Restrict access to the Kylin backend API, particularly the endpoint responsible for refreshing table catalogs. Use network-level controls such as firewalls or IP whitelisting to limit exposure.
  • Monitor and audit SQL queries generated by Kylin, especially those involving table catalog operations, to detect and block any injection attempts.
  • Apply input validation and sanitization to any user-provided data used in SQL queries within Kylin, if custom modifications are feasible.

Chat Assistant

Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-62390. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70

EPSS Chart