Apache Cassandra security advisories
Security information for Apache Cassandra
Reporting
Do you want disclose a potential security issue for Apache Cassandra? You can read more about the projects’ security policy on their security page, and email your report to the Apache Security Team.
Advisories
This section is experimental: it provides advisories since 2023 and may lag behind the official CVE publications. It may also lack details found on the project security page. If you have any feedback on how you would like this data to be provided, you are welcome to reach out on our public mailinglist or privately on security@apache.org
Authenticated DoS via ALTER ROLE Password Hashing
CVE-2026-32588 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-08T14:57:32.286Z
Affected
- Apache Cassandra from 4.0 through 4.0.19
- Apache Cassandra from 4.1 through 4.1.10
- Apache Cassandra from 5.0 through 5.0.6
- Apache Cassandra at 6.0-alpha1
Description
Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.
Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.
References
Credits
- Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences (reporter)
cqlsh history sensitive information leak
CVE-2026-27315 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-07T16:40:48.899Z
Affected
- Apache Cassandra from 4.0 through 4.0.19
Description
Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file access.
Users are recommended to upgrade to version 4.0.20, which fixes this issue.
–
Description: Cassandra’s command-line tool, cqlsh, provides a command history feature that allows users to recall previously executed commands using the up/down arrow keys. These history records are saved in the ~/.cassandra/cqlsh_history file in the user’s home directory.
However, cqlsh does not redact sensitive information when saving command history. This means that if a user executes operations involving passwords (such as logging in or creating users) within cqlsh, these passwords are permanently stored in cleartext in the history file on the disk.
References
- https://issues.apache.org/jira/browse/CASSANDRA-21180
- https://lists.apache.org/thread/ft77zrk2mzt8qsch4g6jqjj4901d22k3
Credits
- Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences (reporter)
Privilege escalation via ADD IDENTITY authorization bypass
CVE-2026-27314 [CVE] [CVE json] [OSV json]
Last updated: 2026-04-07T16:33:42.799Z
Affected
- Apache Cassandra from 5.0 through 5.0.6
Description
Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role,
including a superuser role, and authenticate as that role via ADD IDENTITY.
Users are recommended to upgrade to version 5.0.7+, which fixes this issue.
References
Credits
- Sho Odagiri, GMO Cybersecurity by Ierae, Inc. (reporter)
User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only)
CVE-2025-26467 [CVE] [CVE json] [OSV json]
Last updated: 2025-08-25T13:14:47.609Z
Affected
- Apache Cassandra at 4.0.16
Description
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.
This issue affects Apache Cassandra 3.0.30, 3.11.17, 4.0.16, 4.1.7, 5.0.2, but this advisory is only for 4.0.16 because the fix to CVE-2025-23015 was incorrectly applied to 4.0.16, so that version is still affected.
Users in the 4.0 series are recommended to upgrade to version 4.0.17 which fixes the issue. Users from 3.0, 3.11, 4.1 and 5.0 series should follow recommendation from CVE-2025-23015.
References
Credits
- Adam Pond of Apple Services Engineering Security (finder)
- Ali Mirheidari of Apple Services Engineering Security (finder)
- Terry Thibault of Apple Services Engineering Security (finder)
- Will Brattain of Apple Services Engineering Security (finder)
CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions
CVE-2025-24860 [CVE] [CVE json] [OSV json]
Last updated: 2025-02-04T10:17:53.494Z
Affected
- Apache Cassandra from 4.0.0 through 4.0.15
- Apache Cassandra from 4.1.0 through 4.1.7
- Apache Cassandra from 5.0.0 through 5.0.2
Description
Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer.
Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions.
This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer.
Operators using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions should review data access rules for potential breaches. Users are recommended to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
References
Credits
- Stefan Miklosovic (reporter)
User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions
CVE-2025-23015 [CVE] [CVE json] [OSV json]
Last updated: 2025-02-11T15:47:20.883Z
Affected
- Apache Cassandra from 3.0.0 through 3.0.30
- Apache Cassandra from 3.1.0 through 3.11.17
- Apache Cassandra from 4.0.0 through 4.0.16
- Apache Cassandra from 4.1.0 through 4.1.7
- Apache Cassandra from 5.0.0 through 5.0.2
Description
Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.
This issue affects Apache Cassandra through 3.0.30, 3.11.17, 4.0.16, 4.1.7, 5.0.2.
Users are recommended to upgrade to versions 3.0.32, 3.11.19, 4.0.17, 4.1.8, 5.0.3, which fixes the issue.
Addendum:
A performance regression was detected in the security releases 3.0.30 [1] and 3.11.18 [2]. Affected users are recommended to upgrade to versions 3.0.32 and 3.11.19 instead.
The fix to this vulnerability was incorrectly applied to 4.0.16, and affected users in the 4.0 series are recommended to upgrade to 4.0.17 (see CVE-2025-26467 for more information).
Remaining versions are unaffected.
[1] - https://lists.apache.org/thread/yprngr9cmp9c43m1c56thv1v0v6y5ywq
[2] - https://lists.apache.org/thread/hc9shwlm1kmxdxosbh3qo2xooqoo3sc6
References
Credits
- Adam Pond of Apple Services Engineering Security (finder)
- Ali Mirheidari of Apple Services Engineering Security (finder)
- Terry Thibault of Apple Services Engineering Security (finder)
- Will Brattain of Apple Services Engineering Security (finder)
unrestricted deserialization of JMX authentication credentials
CVE-2024-27137 [CVE] [CVE json] [OSV json]
Last updated: 2025-02-04T10:19:42.511Z
Affected
- Apache Cassandra from 4.0.2 before 4.0.15
- Apache Cassandra from 4.1.0 before 4.1.8
- Apache Cassandra from 5.0-beta1 before 5.0.3
Description
In Apache Cassandra it is possible for a local attacker without access
to the Apache Cassandra process or configuration files to manipulate
the RMI registry to perform a man-in-the-middle attack and capture user
names and passwords used to access the JMX interface. The attacker can
then use these credentials to access the JMX interface and perform
unauthorized operations.
This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10.
This issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11.
Operators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue.
References
Privilege escalation when enabling FQL/Audit logs
CVE-2023-30601 [CVE] [CVE json] [OSV json]
Last updated: 2023-05-30T07:25:46.970Z
Affected
- Apache Cassandra from 4.0.0 through 4.0.9
- Apache Cassandra from 4.1.0 through 4.1.1
Description
Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra
This issue affects Apache Cassandra: from 4.0.0 through 4.0.9, from 4.1.0 through 4.1.1.
WORKAROUNDThe vulnerability requires nodetool/JMX access to be exploitable, disable access for any non-trusted users.
MITIGATION
Upgrade to 4.0.10 or 4.1.2 and leave the new FQL/Auditlog configuration property allow_nodetool_archive_command as false.
References
Credits
- Gal Elbaz at Oligo (finder)
Remote code execution for scripted UDFs
CVE-2021-44521 [CVE] [CVE json] [OSV json]
Last updated: 2022-02-11T12:02:55.157Z
Affected
- Apache Cassandra from 3.0.0 before *
Description
When running Apache Cassandra with the following configuration:
enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false
it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.
References
Credits
- This issue was discovered by Omer Kaspi of the JFrog Security vulnerability research team.