Wei Lin Ngo

**Name of the Vulnerable Software and Affected Versions** Apache Kylin versions prior to 3.1.2 **Description** The issue is related to insufficient security checks in the `StreamingCoordinatorController.java` component, which handles `/kylin/api/streaming coordinator/*` REST API endpoints. This allows an unauthenticated user to issue arbitrary requests, such as assigning or unassigning streaming cubes, and creating, modifying, or deleting replica sets. For endpoints that accept node details in the HTTP message body, unauthenticated server-side request forgery (SSRF) can be achieved. **Recommendations** For versions prior to 3.1.2, update to version 3.1.2 or later to resolve the issue. As a temporary workaround, consider restricting access to the `/kylin/api/streaming coordinator/*` API endpoints to prevent unauthenticated requests. Avoid using the `StreamingCoordinatorController.java` component until the issue is resolved. Restrict access to endpoints that accept node details in the HTTP message body to minimize the risk of SSRF exploitation.