External risk intelligence

Apache Kylin SQL Injection Vulnerability in Table Catalog Refresh API

CVE advisorySeverity: CRITICAL (CVSS 9.8)

CVE-2026-62390

Apache Kylin is an analytical data warehouse platform commonly deployed as a web-based application or API service to provide business intelligence and data access, making its backend APIs often reachable in environments where users or applications interact with the platform.

SQL Injection

Apache Kylin

4.0.0 to before 5.0.4

Halo Surface Signal: 4 out of 5 — likely to be public-facing.

External exposure likelihood

Horizon Alert

Summary of the vulnerability and why it matters

A critical vulnerability has been identified in Apache Kylin, an analytical data warehouse platform. This issue stems from an SQL injection flaw in a backend API that refreshes table catalogs, potentially allowing unauthorized manipulation of data through crafted inputs. The primary concern is to confirm if your environment utilizes this specific technology and assess any potential exposure.

  • SQL injection flaw in data platform API.
  • Confirms relevance and exposure for leaders.
  • Assess potential for unauthorized data access.

Attack Path

How an attacker could exploit the issue

An attacker could exploit this vulnerability by sending specially crafted requests to a backend API within Apache Kylin. This API, responsible for refreshing table catalogs, is susceptible to SQL injection when it processes user-supplied input without proper sanitization. Successful exploitation could allow an attacker to manipulate database queries, potentially leading to unauthorized data access or modification.

  • No authentication or special privileges needed.
  • Triggered by refreshing table catalog.
  • Leads to SQL injection and data compromise.

Live Threat

Current exploitation, exposure, and threat context

A SQL injection vulnerability in Apache Kylin's backend API could allow an attacker to manipulate queries when refreshing the table catalog. This may lead to unauthorized access, modification, or deletion of data within the Apache Kylin system.

  • SQL commands and table catalog data.
  • Via a crafted API request.
  • Unauthorized data access or modification.

Operational Fix

Recommended remediation, mitigation, and detection steps

This SQL injection vulnerability in Apache Kylin's backend API for refreshing table catalogs impacts all deployments. Platform or data engineering teams are likely responsible for Apache Kylin, and should begin by identifying all instances of Kylin, assessing their exposure and criticality, and then coordinating with the vendor or an internal security team to plan an upgrade or apply available mitigations.

  • Platform or data engineering teams own this.
  • Verify Kylin instances and their reachability.
  • Plan upgrade or mitigate risk.

Supplementary metadata

Validate whether this threat affects your internet-facing exposure.

Halo Threat Intelligence helps prioritize remediation with Halo Surface Signal and H/A/L/O context. Start exposure validation with a free external attack surface trial.

Frequently asked questions

What is Apache Kylin?

Apache Kylin is an analytical data warehouse platform used to provide high-performance business intelligence and large-scale data analysis. It functions as a web-based application or API service that allows users to query and interact with massive datasets efficiently.

What does CWE-89 mean for CVE-2026-62390?

CWE-89 refers to SQL Injection. In the context of this CVE, it means the application fails to properly clean user-supplied input before using it in a database query. Because of this, an attacker can insert their own malicious SQL commands into the backend API responsible for refreshing the table catalog, tricking the system into executing unauthorized database operations.

How is this SQL injection vulnerability triggered?

The vulnerability is triggered when a crafted, malicious request is sent to the specific backend API endpoint designed to refresh the table catalog. Simply navigating the standard user interface or performing routine data analysis will not trigger the bug; it requires the specific input sequence that targets this refresh process to manipulate the underlying database commands.

Is my Apache Kylin instance at risk?

According to Halo Surface Signal, Apache Kylin is often deployed as a web-based application or API service, which frequently makes its backend APIs reachable to users or external applications. If your instance is accessible over a network, the risk is higher, as an attacker does not need special authentication or privileges to send the malicious requests that trigger this vulnerability.

What should I do to address this vulnerability?

The recommended response is to upgrade your Apache Kylin installation to version 5.0.4 or later. You should begin by identifying all instances of Kylin running in your environment, assessing their current version, and coordinating with your data engineering or platform teams to prioritize and schedule the software update.

References