7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-61733

GHSA ID

GHSA-mr9j-4j48-xcm2

EPSS Score

0.05099%

CWE

CWE-288

Published

10/2/2025

Updated

10/2/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-61733

CVE-2025-61733: Apache Kylin Authentication Bypass Vulnerability

Authentication Bypass Using an Alternate Path or Channel vulnerability in Apache Kylin.

This issue affects Apache Kylin: from 4.0.0 through 5.0.2.

Users are recommended to upgrade to version 5.0.3, which fixes the issue.

(GitHub Advisory)

7.5

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-61733

GHSA ID

GHSA-mr9j-4j48-xcm2

EPSS Score

0.05099%

CWE

CWE-288

Published

10/2/2025

Updated

10/2/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
org.apache.kylin:kylin	maven	>= 4.0.0, < 5.0.3	5.0.3
org.apache.kylin:kylin-core-common	maven	>= 4.0.0, < 5.0.3	5.0.3

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The analysis of the provided patch clearly indicates that the vulnerability lies within the updateUserWithoutAuth method of the NUserController class. The patch removes this method entirely, along with the security configurations that exposed it publicly. The method's name itself, updateUserWithoutAuth, is a strong indicator of its purpose. The changes in kylinSecurity.xml and SecurityConfig.java confirm that the endpoint /api/user/update_user was intentionally left without authentication. An attacker could exploit this by sending a crafted request to this endpoint to modify user accounts, bypassing authentication mechanisms. The removal of the corresponding client function updateUser in RestClient.java further corroborates that this functionality was being removed to fix the security issue.

Vulnerable functions

org.apache.kylin.rest.controller.NUserController.updateUserWithoutAuth

src/metadata-server/src/main/java/org/apache/kylin/rest/controller/NUserController.java

The `updateUserWithoutAuth` method in the `NUserController` class was exposed via the `/api/user/update_user` endpoint. The security configuration in `kylinSecurity.xml` explicitly allowed public access to this endpoint with `access="permitAll"`. This allowed an unauthenticated attacker to call this endpoint and modify user details, leading to an authentication bypass.

org.apache.kylin.tool.restclient.RestClient.updateUser

src/core-common/src/main/java/org/apache/kylin/tool/restclient/RestClient.java

This function was a client-side implementation that made calls to the vulnerable `/user/update_user` endpoint. While not the vulnerable function itself, it's a key part of the ecosystem around the vulnerability and was removed as part of the fix.

WAF Protection Rules

WAF Rule

*ut**nti**tion *yp*ss Usin* *n *lt*rn*t* P*t* or ***nn*l vuln*r**ility in *p**** Kylin. T*is issu* *****ts *p**** Kylin: *rom *.*.* t*rou** *.*.*. Us*rs *r* r**omm*n*** to up*r*** to v*rsion *.*.*, w*i** *ix*s t** issu*.

Reasoning

T** *n*lysis o* t** provi*** p*t** *l**rly in*i**t*s t**t t** vuln*r**ility li*s wit*in t** `up**t*Us*rWit*out*ut*` m*t*o* o* t** `NUs*r*ontroll*r` *l*ss. T** p*t** r*mov*s t*is m*t*o* *ntir*ly, *lon* wit* t** s**urity *on*i*ur*tions t**t *xpos** it

7.5

Basic Information

Concerned about an active attack path?

CVE-2025-61733: Apache Kylin Authentication Bypass Vulnerability

7.5

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

Vulnerability Intelligence
Miggo AI