CVE-2025-61733: 
Java vulnerability analysis and mitigation

A high-severity authentication bypass vulnerability (CVE-2025-61733) was discovered in Apache Kylin, affecting versions 4.0.0 through 5.0.2. The vulnerability was disclosed on October 2, 2025, and allows attackers to bypass authentication mechanisms using an alternate path or channel (NVD, Daily CyberSecurity).

The vulnerability has been assigned a CVSS v3.1 base score of 7.5 (High) with the vector string CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N. The root cause was identified in the updateUserWithoutAuth method of the NUserController class, where the /api/user/update_user endpoint was intentionally left without authentication. The vulnerability is classified as CWE-288 (Authentication Bypass Using an Alternate Path or Channel) (Miggo).

Given Apache Kylin's role in large-scale analytics and business intelligence, this vulnerability could allow attackers to gain unauthorized access to sensitive data or administrative functions within Kylin environments. The exploitation could particularly impact enterprises relying on Kylin for their business intelligence operations (Daily CyberSecurity).

Users are strongly recommended to upgrade to Apache Kylin version 5.0.3, which contains the fix for this vulnerability. The patch removes the vulnerable updateUserWithoutAuth method entirely, along with the security configurations that exposed it publicly (NVD, Daily CyberSecurity).