Configuration Bypass in Apache Kyuubi Server by The Apache Software Foundation
CVE-2025-66518

8.8HIGH

Key Information:

Vendor: Apache
Status: Apache Kyuubi
Vendor: CVE Published:; 5 January 2026

What is CVE-2025-66518?

The Apache Kyuubi Server is susceptible to a configuration bypass that allows unauthorized clients to access server-side configurations. Specifically, clients can bypass the 'kyuubi.session.local.dir.allow.list', thereby gaining access to local files that are not explicitly permitted in the server configuration. This vulnerability affects versions 1.6.0 through 1.10.2 of Apache Kyuubi. Users are advised to update to version 1.10.3 or newer to mitigate this risk and improve server security.

Affected Version(s)

Apache Kyuubi 1.6.0 <= 1.10.2

References

https://lists.apache.org/thread/xp460bwbyzdhho34ljd4nchyt...

vendor-advisory

CVSS V4

Score:

8.8

Severity:

HIGH

Confidentiality:

High

Integrity:

High

Availability:

Low

Attack Vector:

Network

Attack Complexity:

Low

Attack Required:

Physical

Privileges Required:

Undefined

User Interaction:

Unknown

Timeline

Vulnerability published
Jan 5, 2026
Vulnerability Reserved
Dec 4, 2025

Credit

Hiroki Egawa

JSON