diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/BasicAuthenticationHandler.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/BasicAuthenticationHandler.scala
index 9d6d0445c8c..17498439a54 100644
--- a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/BasicAuthenticationHandler.scala
+++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/BasicAuthenticationHandler.scala
@@ -69,7 +69,7 @@ class BasicAuthenticationHandler(basicAuthType: AuthType)
     val authorization = getAuthorization(request)
     val inputToken = Option(authorization).map(a => Base64.getDecoder.decode(a.getBytes()))
       .getOrElse(Array.empty[Byte])
-    val creds = new String(inputToken, Charset.forName("UTF-8")).split(":")
+    val creds = new String(inputToken, Charset.forName("UTF-8")).split(":", 2)
 
     if (allowAnonymous) {
       authUser = creds.take(1).headOption.filterNot(_.isEmpty).getOrElse("anonymous")
diff --git a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/KyuubiInternalAuthenticationHandler.scala b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/KyuubiInternalAuthenticationHandler.scala
index d910f4a8396..98dfa3f41f6 100644
--- a/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/KyuubiInternalAuthenticationHandler.scala
+++ b/kyuubi-server/src/main/scala/org/apache/kyuubi/server/http/authentication/KyuubiInternalAuthenticationHandler.scala
@@ -48,7 +48,7 @@ class KyuubiInternalAuthenticationHandler extends AuthenticationHandler with Log
     val authorization = getAuthorization(request)
     val inputToken = Option(authorization).map(a => Base64.getDecoder.decode(a.getBytes()))
       .getOrElse(Array.empty[Byte])
-    val creds = new String(inputToken, StandardCharsets.UTF_8).split(":")
+    val creds = new String(inputToken, StandardCharsets.UTF_8).split(":", 2)
 
     if (creds.size < 2 || creds(0).trim.isEmpty || creds(1).trim.isEmpty) {
       response.setHeader(WWW_AUTHENTICATE_HEADER, authScheme.toString)
diff --git a/kyuubi-server/src/test/scala/org/apache/kyuubi/operation/KyuubiRestAuthenticationSuite.scala b/kyuubi-server/src/test/scala/org/apache/kyuubi/operation/KyuubiRestAuthenticationSuite.scala
index f25d893af42..cbadb37521c 100644
--- a/kyuubi-server/src/test/scala/org/apache/kyuubi/operation/KyuubiRestAuthenticationSuite.scala
+++ b/kyuubi-server/src/test/scala/org/apache/kyuubi/operation/KyuubiRestAuthenticationSuite.scala
@@ -240,6 +240,15 @@ class KyuubiRestCustomAuthenticationTest extends KyuubiRestAuthenticationSuite {
     assert(HttpServletResponse.SC_OK == response.getStatus)
   }
 
+  test("test with invalid CUSTOM http basic authorization that contains colon") {
+    val response = webTarget.path("api/v1/sessions/count")
+      .request()
+      .header(AUTHORIZATION_HEADER, basicAuthorizationHeader("user", "password:with:colons"))
+      .get()
+
+    assert(HttpServletResponse.SC_FORBIDDEN == response.getStatus)
+  }
+
   test("test with invalid CUSTOM http basic authorization") {
     val response = webTarget.path("api/v1/sessions/count")
       .request()