Unauthorized File Access Vulnerability in Apache Linkis
CVE-2025-29847

7.5HIGH

Key Information:

Vendor: Apache
Status: Apache Linkis
Vendor: CVE Published:; 19 January 2026

What is CVE-2025-29847?

A vulnerability exists in Apache Linkis that may allow unauthorized access to system files through JDBC parameters. This issue arises when the JDBC engine is utilized and the frontend URL parameter has been subjected to multiple rounds of URL encoding, potentially bypassing security checks. It affects versions from 1.3.0 to 1.7.0. Users are advised to upgrade to version 1.8.0 to mitigate this risk.

Affected Version(s)

Apache Linkis 1.3.0 <= 1.7.0

References

https://lists.apache.org/thread/03l5rfkgdt022o75jp8x4tzpq...

vendor-advisory

CVSS V3.1

Score:

7.5

Severity:

HIGH

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

None

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 19, 2026
Vulnerability Reserved
Mar 12, 2025

Credit

Le1a and A1kaid from Threatbook

kinghao

Le1a from Threatbook

kinghao

JSON