Apache Kyuubi: Unauthorized directory access due to missing path normalization

8.8 / 10

HIGH

CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L

Description

Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config.

This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2.

Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue.

AI Analysis

Unauthorized directory access due to missing path normalization in Apache Kyuubi

Basic Information

ID CVE-2025-66518

Source apache

Published Jan 5, 2026 at 08:46

Affected Product

Vendor Apache Software Foundation

Product Apache Kyuubi

Version 1.6.0

Affected Versions Apache Software Foundation Apache Kyuubi 1.6.0

CWE Classification

CWE-27

AI Assessment

AI Score 8.8 / 10

AI Severity High

Vendor Apache Software Foundation

Product Apache Kyuubi

Version 1.6.0-1.10.2

References

lists.apache.org /thread/xp460bwbyzdhho34ljd4nchyt2fmhodl

{
    "lastseen": "",
    "description": "Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config.\n\nThis issue affects Apache Kyuubi: from 1.6.0 through 1.10.2.\n\nUsers are recommended to upgrade to version 1.10.3 or upper, which fixes the issue.",
    "published": "2026-01-05T08:46:27.649Z",
    "modified": "2026-01-05T08:46:27.649Z",
    "type": "cve",
    "title": "Apache Kyuubi: Unauthorized directory access due to missing path normalization",
    "source": "apache",
    "references": "https://lists.apache.org/thread/xp460bwbyzdhho34ljd4nchyt2fmhodl",
    "id": "CVE-2025-66518",
    "bulletinFamily": "",
    "cwe": [
        "CWE-27"
    ],
    "cvelist": null,
    "sourceData": "Apache Software Foundation Apache Kyuubi 1.6.0",
    "sourceHref": "",
    "cvss": {
        "score": 8.8,
        "severity": "HIGH",
        "vector": "CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:P/VC:H/VI:H/VA:L/SC:H/SI:H/SA:L",
        "version": "4.0"
    },
    "cvss2": [],
    "cvss3": {
        "version": "",
        "vectorString": "",
        "baseScore": 0,
        "baseSeverity": "",
        "attackVector": "",
        "attackComplexity": "",
        "privilegesRequired": "",
        "userInteraction": "",
        "scope": "",
        "confidentialityImpact": "",
        "integrityImpact": "",
        "availabilityImpact": "",
        "cvssV3": {
            "version": "",
            "vectorString": "",
            "baseScore": 0,
            "baseSeverity": "",
            "attackVector": "",
            "attackComplexity": "",
            "privilegesRequired": "",
            "userInteraction": "",
            "scope": "",
            "confidentialityImpact": "",
            "integrityImpact": "",
            "availabilityImpact": ""
        }
    },
    "href": "",
    "category_name": "CVE",
    "post_link": "",
    "product": "Apache Kyuubi",
    "version": "1.6.0",
    "vendor": "Apache Software Foundation",
    "ai_description": "Unauthorized directory access due to missing path normalization in Apache Kyuubi",
    "ai_severity": "High",
    "ai_vendor": "Apache Software Foundation",
    "ai_product": "Apache Kyuubi",
    "ai_version": "1.6.0-1.10.2",
    "ai_score": 8.8
}

Apache Kyuubi: Unauthorized directory access due to missing path normalization_CVE-2025-66518