Information Leakage Vulnerability in Apache Linkis Affects Sensitive Configuration Logs
CVE-2025-59355

6.5MEDIUM

Key Information:

Vendor: Apache
Status: Apache Linkis
Vendor: CVE Published:; 19 January 2026

What is CVE-2025-59355?

A vulnerability exists in Apache Linkis where the decode() function in org.apache.linkis.metadata.util.HiveUtils may fail to correctly perform Base64 decoding. This issue leads to sensitive information such as Hive Metastore keys and plaintext passwords being logged when decoding fails, thus posing a risk of information leakage. The risk is heightened when log files are accessible to users who are not administrators of the hive-site.xml. Users are urged to update to version 1.8.0 or later, which mitigates this issue by providing desensitized logs that do not expose sensitive data.

Affected Version(s)

Apache Linkis 1.0.0 <= 1.7.0

References

https://lists.apache.org/thread/75z7vhftw6w1mllndgpkfmcj0...

patch

https://lists.apache.org/thread/4dcgmqdkk2p5y4k43ok5rgd4y...

vendor-advisory

CVSS V3.1

Score:

6.5

Severity:

MEDIUM

Confidentiality:

High

Integrity:

None

Availability:

High

Attack Vector:

Network

Attack Complexity:

Low

Privileges Required:

Low

User Interaction:

None

Scope:

Unchanged

Timeline

Vulnerability published
Jan 19, 2026
Vulnerability Reserved
Sep 12, 2025

Credit

Kyler

kinghao

Le1a

kinghao

JSON