CVE-2025-66518
Published: 05 January 2026
Summary
CVE-2025-66518 is a high-severity Path Traversal: 'dir/../../filename' (CWE-27) vulnerability in Apache Kyuubi. Its CVSS base score is 8.8 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked in the top 45.2% of CVEs by exploit likelihood; it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 SI-10 (Information Input Validation) and SI-2 (Flaw Remediation).
Deeper analysis
CVE-2025-66518 is a vulnerability in Apache Kyuubi that enables any client accessing the Apache Kyuubi Server via Kyuubi frontend protocols to bypass the server-side configuration kyuubi.session.local.dir.allow.list. This allows the client to use local files not listed in the configuration. The issue affects Apache Kyuubi versions from 1.6.0 through 1.10.2 and was published on 2026-01-05.
A low-privileged remote attacker (PR:L) with network access to the Kyuubi Server can exploit this vulnerability with low complexity and no user interaction required. The CVSS v3.1 base score of 8.8 (AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H) reflects high impacts on confidentiality, integrity, and availability. The flaw is linked to CWE-22 (Path Traversal) and CWE-27 (Relative Path Traversal), potentially allowing arbitrary local file access.
Apache advisories recommend upgrading to version 1.10.3 or later to remediate the issue. Additional details are available in the Apache mailing list thread at https://lists.apache.org/thread/xp460bwbyzdhho34ljd4nchyt2fmhodl and the OSS-Security announcement at http://www.openwall.com/lists/oss-security/2026/01/05/1.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-0819
Vulnerability details
Any client who can access to Apache Kyuubi Server via Kyuubi frontend protocols can bypass server-side config kyuubi.session.local.dir.allow.list and use local files which are not listed in the config. This issue affects Apache Kyuubi: from 1.6.0 through 1.10.2. Users are…
more
recommended to upgrade to version 1.10.3 or upper, which fixes the issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Path traversal in public-facing Kyuubi server directly enables remote exploitation of the application (T1190) and unauthorized access to arbitrary local files (T1005).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Validates client-supplied file paths to block path traversal attempts that bypass the kyuubi.session.local.dir.allow.list configuration.
Requires timely remediation of identified flaws like this path traversal vulnerability through patching to versions such as 1.10.3.
Enforces approved authorizations for local file access, mitigating bypasses of directory allow lists by low-privileged clients.