Apache Cassandra
16 CVEs affecting Apache Cassandra. Latest disclosed: 2026-04-07. Critical: 3, High: 6.
| CVE | Severity | Score | Published | Summary |
|---|---|---|---|---|
CVE-2018-8016 | Critical | 9.8 | 2018-06-28 | The default configuration in Apache Cassandra 3.8 through 3.11.1 binds an unauthenticated JMX/RMI interface to all network interfaces, which allows remote atta… |
CVE-2016-3427 | Critical | 9.8 | 2016-04-21 | Unspecified vulnerability in Oracle Java SE 6u113, 7u99, and 8u77; Java SE Embedded 8u77; and JRockit R28.3.9 allows remote attackers to affect confidentiality… |
CVE-2021-44521 | Critical | 9.1 | 2022-02-11 | When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_de… |
CVE-2026-27314 | High | 8.8 | 2026-04-07 | Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their o… |
CVE-2025-26467 | High | 8.8 | 2025-08-25 | Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser w… |
CVE-2025-23015 | High | 8.8 | 2025-02-04 | Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser w… |
CVE-2023-30601 | High | 7.8 | 2023-05-30 | Privilege escalation when enabling FQL/Audit logs allows user with JMX access to run arbitrary commands as the user running Apache Cassandra This issue affects… |
CVE-2020-17516 | High | 7.5 | 2021-02-03 | Apache Cassandra versions 2.1.0 to 2.1.22, 2.2.0 to 2.2.19, 3.0.0 to 3.0.23, and 3.11.0 to 3.11.9, when using 'dc' or 'rack' internode_encryption setting, allo… |
CVE-2016-4970 | High | 7.5 | 2017-04-13 | handler/ssl/OpenSslEngine.java in Netty 4.0.x before 4.0.37.Final and 4.1.x before 4.1.1.Final allows remote attackers to cause a denial of service (infinite l… |
CVE-2026-32588 | Medium | 6.5 | 2026-04-07 | Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recomm… |
CVE-2020-13946 | Medium | 5.9 | 2020-09-01 | In Apache Cassandra, all versions prior to 2.1.22, 2.2.18, 3.0.22, 3.11.8 and 4.0-beta2, it is possible for a local attacker without access to the Apache Cassa… |
CVE-2019-2684 | Medium | 5.9 | 2019-04-23 | Vulnerability in the Java SE, Java SE Embedded component of Oracle Java SE (subcomponent: RMI). Supported versions that are affected are Java SE: 7u211, 8u202… |
CVE-2026-27315 | Medium | 5.5 | 2026-04-07 | Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via… |
CVE-2025-24860 | Medium | 5.4 | 2025-02-04 | Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using Cassand… |
CVE-2024-27137 | Medium | 5.3 | 2025-02-04 | In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry… |
CVE-2015-0225 | | 2015-04-03 | The default configuration in Apache Cassandra 1.2.0 through 1.2.19, 2.0.0 through 2.0.13, and 2.1.0 through 2.1.3 binds an unauthenticated JMX/RMI interface to… |