Remote code execution for scripted UDFs
Description
When running Apache Cassandra with the following configuration: enable_user_defined_functions: true enable_scripted_user_defined_functions: true enable_user_defined_functions_threads: false it is possible for an attacker to execute arbitrary code on the host. The attacker would need to have enough permissions to create user defined functions in the cluster to be able to exploit this. Note that this configuration is documented as unsafe, and will continue to be considered unsafe after this CVE.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Cassandra allows remote code execution via scripted UDFs when threads disabled; attackers need UDF create permissions.
Vulnerability
When running Apache Cassandra with the configuration enable_user_defined_functions: true, enable_scripted_user_defined_functions: true, and enable_user_defined_functions_threads: false, an attacker can execute arbitrary code on the host [1][3][4]. This configuration is documented as unsafe. Affected versions include 3.0.x before 3.0.26, 3.11.x before 3.11.12, and 4.0.x before 4.0.2 [3][4].
Exploitation
An attacker must have sufficient permissions to create user defined functions (UDFs) in the cluster [1][3]. By creating a malicious scripted UDF, the attacker can trigger arbitrary code execution when the UDF is invoked [3]. No additional authentication or user interaction beyond UDF creation is required.
Impact
Successful exploitation allows arbitrary code execution on the host, leading to full compromise of the Cassandra node. The attacker can read, modify, or delete data, and potentially move laterally within the network.
Mitigation
Set enable_user_defined_functions_threads: true (the default) or upgrade to fixed versions: 3.0.26 for 3.0 users, 3.11.12 for 3.11 users, and 4.0.2 for 4.0 users [3][4]. No other workarounds exist; the configuration is intentionally unsafe.
AI Insight generated on May 21, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cassandra:cassandra-allMaven | < 3.0.26 | 3.0.26 |
org.apache.cassandra:cassandra-allMaven | >= 3.11.0, < 3.11.12 | 3.11.12 |
org.apache.cassandra:cassandra-allMaven | >= 4.0.0, < 4.0.2 | 4.0.2 |
Affected products
5- osv-coords4 versionspkg:apk/chainguard/druid-compatpkg:apk/wolfi/druid-compatpkg:bitnami/cassandrapkg:maven/org.apache.cassandra/cassandra-all
< 34.0.0-r6+ 3 more
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: < 34.0.0-r6
- (no CPE)range: >= 3.0.0, < 3.0.26
- (no CPE)range: < 3.0.26
- Apache Software Foundation/Apache Cassandrav5Range: 3.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
9- github.com/advisories/GHSA-8ffc-79xg-29w8ghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2021-44521ghsaADVISORY
- www.openwall.com/lists/oss-security/2022/02/11/4ghsamailing-listx_refsource_MLISTWEB
- issues.apache.org/jira/browse/CASSANDRA-17352ghsaWEB
- jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-executionghsaWEB
- jfrog.com/blog/cve-2021-44521-exploiting-apache-cassandra-user-defined-functions-for-remote-code-execution/mitrex_refsource_MISC
- lists.apache.org/thread/y4nb9s4co34j8hdfmrshyl09lokm7356ghsax_refsource_MISCWEB
- security.netapp.com/advisory/ntap-20220225-0001ghsaWEB
- security.netapp.com/advisory/ntap-20220225-0001/mitrex_refsource_CONFIRM
News mentions
0No linked articles in our index yet.