Apache Cassandra: unrestricted deserialization of JMX authentication credentials
Description
In Apache Cassandra it is possible for a local attacker without access to the Apache Cassandra process or configuration files to manipulate the RMI registry to perform a man-in-the-middle attack and capture user names and passwords used to access the JMX interface. The attacker can then use these credentials to access the JMX interface and perform unauthorized operations.
This is same vulnerability that CVE-2020-13946 was issued for, but the Java option was changed in JDK10.
This issue affects Apache Cassandra from 4.0.2 through 5.0.2 running Java 11.
Operators are recommended to upgrade to a release equal to or later than 4.0.15, 4.1.8, or 5.0.3 which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
A local attacker can manipulate the RMI registry to intercept JMX credentials, leading to full JMX access and unauthorized operations in Apache Cassandra.
Root
Cause
The vulnerability in Apache Cassandra arises because the RMI registry used for JMX authentication is not sufficiently secured, allowing a local attacker without access to the Cassandra process or configuration files to perform a man-in-the-middle attack. This issue affects Cassandra versions 4.0.2 through 5.0.2 running on Java 11 [1]. The same underlying flaw was previously addressed in CVE-2020-13946, but the security fix was bypassed due to changes in Java defaults starting from JDK10 [1].
Attack
Vector
A local attacker positioned on the same host as the Cassandra instance can intercept the RMI registry communication and capture the credentials (user names and passwords) used to access the JMX interface. No special access to the Cassandra process or configuration files is required [1]. The attacker can then use these captured credentials to authenticate to the JMX interface.
Impact
Once authenticated, the attacker gains full access to the JMX interface, enabling them to perform unauthorized operations on the Cassandra cluster. This could include modifying configuration settings, retrieving sensitive data, or disrupting services [1].
Mitigation
Apache has released fixes in versions 4.0.15, 4.1.8, and 5.0.3 [1]. Operators running affected versions should upgrade to these or later releases. The official Cassandra repository provides the source code and release artifacts [2].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cassandra:cassandra-allMaven | >= 5.0-beta1, < 5.0.3 | 5.0.3 |
org.apache.cassandra:cassandra-allMaven | >= 4.1.0, < 4.1.8 | 4.1.8 |
org.apache.cassandra:cassandra-allMaven | >= 4.0.2, < 4.0.15 | 4.0.15 |
Affected products
4- osv-coords2 versions
>= 4.0.2, < 4.0.15+ 1 more
- (no CPE)range: >= 4.0.2, < 4.0.15
- (no CPE)range: >= 5.0-beta1, < 5.0.3
- Apache Software Foundation/Apache Cassandrav5Range: 4.0.2
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/advisories/GHSA-rgfx-7p65-3ff4ghsaADVISORY
- lists.apache.org/thread/jsk87d9yv8r204mgqpz1qxtp5wcrpysmghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2024-27137ghsaADVISORY
- security.netapp.com/advisory/ntap-20250214-0004ghsaWEB
News mentions
0No linked articles in our index yet.