Apache Cassandra security advisories

Security information for Apache Cassandra

Reporting

Do you want disclose a potential security issue for Apache Cassandra? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.

Advisories

This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org

Authenticated DoS via ALTER ROLE Password Hashing

CVE-2026-32588 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-08T14:57:32.286Z

Affected

  • Apache Cassandra from 4.0 through 4.0.19
  • Apache Cassandra from 4.1 through 4.1.10
  • Apache Cassandra from 5.0 through 5.0.6
  • Apache Cassandra at 6.0-alpha1

Description

Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.
Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.

References

Credits

  • Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences (reporter)

cqlsh history sensitive information leak

CVE-2026-27315 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-07T16:40:48.899Z

Affected

  • Apache Cassandra from 4.0 through 4.0.19

Description

Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via  ~/.cassandra/cqlsh_history local file access.

Users are recommended to upgrade to version 4.0.20, which fixes this issue.


Description: Cassandra’s command-line tool, cqlsh, provides a command history feature that allows users to recall previously executed commands using the up/down arrow keys. These history records are saved in the ~/.cassandra/cqlsh_history file in the user’s home directory.

However, cqlsh does not redact sensitive information when saving command history. This means that if a user executes operations involving passwords (such as logging in or creating users) within cqlsh, these passwords are permanently stored in cleartext in the history file on the disk.


References

Credits

  • Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences (reporter)

Privilege escalation via ADD IDENTITY authorization bypass

CVE-2026-27314 [CVE] [CVE json] [OSV json]

Last updated: 2026-04-07T16:33:42.799Z

Affected

  • Apache Cassandra from 5.0 through 5.0.6

Description

Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role,
including a superuser role, and authenticate as that role via ADD IDENTITY.

Users are recommended to upgrade to version 5.0.7+, which fixes this issue. 



References

Credits

  • Sho Odagiri, GMO Cybersecurity by Ierae, Inc. (reporter)

User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only)

CVE-2025-26467 [CVE] [CVE json] [OSV json]

Last updated: 2025-08-25T13:14:47.609Z

Affected

  • Apache Cassandra at 4.0.16

Description

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.



This issue affects Apache Cassandra 3.0.30, 3.11.17, 4.0.16, 4.1.7, 5.0.2, but this advisory is only for 4.0.16 because the fix to CVE-2025-23015 was incorrectly applied to 4.0.16, so that version is still affected.

Users in the 4.0 series are recommended to upgrade to version 4.0.17 which fixes the issue. Users from 3.0, 3.11, 4.1 and 5.0 series should follow recommendation from CVE-2025-23015.

References

Credits

  • Adam Pond of Apple Services Engineering Security (finder)
  • Ali Mirheidari of Apple Services Engineering Security (finder)
  • Terry Thibault of Apple Services Engineering Security (finder)
  • Will Brattain of Apple Services Engineering Security (finder)

CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions

CVE-2025-24860 [CVE] [CVE json] [OSV json]

Last updated: 2025-02-04T10:17:53.494Z

Affected

  • Apache Cassandra from 4.0.0 through 4.0.15
  • Apache Cassandra from 4.1.0 through 4.1.7
  • Apache Cassandra from 5.0.0 through 5.0.2

Description

Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer.

Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions.

This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer.

Operators using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions should review data access rules for potential breaches. Users are recommended to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.

References

Credits

  • Stefan Miklosovic (reporter)

User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions

CVE-2025-23015 [CVE] [CVE json] [OSV json]

Last updated: 2025-02-11T15:47:20.883Z

Affected

  • Apache Cassandra from 3.0.0 through 3.0.30
  • Apache Cassandra from 3.1.0 through 3.11.17
  • Apache Cassandra from 4.0.0 through 4.0.16
  • Apache Cassandra from 4.1.0 through 4.1.7
  • Apache Cassandra from 5.0.0 through 5.0.2

Description

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.

This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.16, 4.1.7, 5.0.2.

Users are recommended to upgrade to versions 3.0.32, 3.11.19, 4.0.17, 4.1.8, 5.0.3, which fixes the issue.

Addendum:

A performance regression was detected in the security releases 3.0.30 [1] and 3.11.18 [2]. Affected users are recommended to upgrade to versions 3.0.32 and 3.11.19 instead.

The fix to this vulnerability was incorrectly applied to 4.0.16, and affected users in the 4.0 series are recommended to upgrade to 4.0.17 (see CVE-2025-26467 for more information).


Remaining versions are unaffected.

[1] - https://lists.apache.org/thread/yprngr9cmp9c43m1c56thv1v0v6y5ywq
[2] - https://lists.apache.org/thread/hc9shwlm1kmxdxosbh3qo2xooqoo3sc6


References

Credits

  • Adam Pond of Apple Services Engineering Security (finder)
  • Ali Mirheidari of Apple Services Engineering Security (finder)
  • Terry Thibault of Apple Services Engineering Security (finder)
  • Will Brattain of Apple Services Engineering Security (finder)

unrestricted deserialization of JMX authentication credentials

CVE-2024-27137 [CVE] [CVE json] [OSV json]

Last updated: 2025-02-04T10:19:42.511Z

Affected

  • Apache Cassandra from 4.0.2 before 4.0.15
  • Apache Cassandra from 4.1.0 before 4.1.8
  • Apache Cassandra from 5.0-beta1 before 5.0.3

Description

In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorized operations.

This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10.

This issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11.

Operators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue.

References

Privilege escalation when enabling FQL/Audit logs

CVE-2023-30601 [CVE] [CVE json] [OSV json]

Last updated: 2023-05-30T07:25:46.970Z

Affected

  • Apache Cassandra from 4.0.0 through 4.0.9
  • Apache Cassandra from 4.1.0 through 4.1.1

Description

Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra

This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1.

WORKAROUND
The vulnerability requires nodetool/JMX access to be exploitable, disable access for any non-trusted users.

MITIGATION
Upgrade to 4.0.10 or 4.1.2 and leave the new FQL/Auditlog configuration property allow_nodetool_archive_command as false.

References

Credits

  • Gal Elbaz at Oligo (finder)

Remote code execution for scripted UDFs

CVE-2021-44521 [CVE] [CVE json] [OSV json]

Last updated: 2022-02-11T12:02:55.157Z

Affected

  • Apache Cassandra from 3.0.0 before *

Description

When running Apache Cassandra with the following configuration:

enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false

it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.

References

Credits

  • This issue was discovered by Omer Kaspi of the JFrog Security vulnerability research team.