Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <381394ec-30e1-1a96-4f53-72558550966d@apache.org>
Date: Mon, 05 Jan 2026 05:03:54 +0000
From: Akira Ajisaka <aajisaka@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2025-66518: Apache Kyuubi: Unauthorized directory access due
 to missing path normalization 

Severity: 

Affected versions:

- Apache Kyuubi (org.apache.kyuubi:kyuubi-server) 1.6.0 through <=1.10.2

Description:

Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config.

This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2.

Users are recommended to upgrade to version 1.10.3 or upper, which fixes the issue.

Credit:

Hiroki Egawa (reporter)
Hiroki Egawa (remediation developer)

References:

https://kyuubi.apache.org
https://www.cve.org/CVERecord?id=CVE-2025-66518

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.