Apache Kylin is an open-source, distributed Analytical Data Warehouse for Big Data written in Java, originally developed by eBay and used by global enterprises to analyze large datasets. A SQL injection vulnerability (CVE-2020-1937) was discovered in Apache Kylin, which led to the discovery of another severe vulnerability (CVE-2020-1956) that allows malicious users to execute arbitrary OS commands and take over the host system. The vulnerability affects all releases up to version 2.6.5 and 3.0.1, and can be exploited by authenticated users with MANAGEMENT or ADMIN permissions during a Cube migration via the Kylin web interface. To mitigate this vulnerability, input validation is necessary, and an alternative patch using an allowlist approach has been implemented to sanitize user-controlled parameters against breaking out of the current command and invoking new commands. The patch was released in Apache Kylin 3.0.2 and 2.6.6, and users are encouraged to upgrade or disable Cube migrations to prevent exploitation.