Apache Zeppelin: Command Injection via CSWSH
Description
Missing Origin Validation in WebSockets vulnerability in Apache Zeppelin.
The attacker could access the Zeppelin server from another origin without any restriction, and get internal information about paragraphs. This issue affects Apache Zeppelin: from 0.11.1 before 0.12.0.
Users are recommended to upgrade to version 0.12.0, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Missing Origin Validation in WebSockets in Apache Zeppelin allows cross-origin attackers to access internal paragraph information without restriction.
CVE-2024-51775 describes a missing Origin validation vulnerability in Apache Zeppelin's WebSocket connections. The server fails to validate the Origin header during the WebSocket handshake, allowing any website or script from a different origin to establish a connection without restriction. This affects Zeppelin versions from 0.11.1 before 0.12.0 [1][2].
An attacker can exploit this by hosting a malicious page that opens a WebSocket to the Zeppelin server from a different origin. No authentication or special network position is required; the attacker simply needs to lure a user whose browser can reach the Zeppelin server. Once connected, the attacker can retrieve internal information about paragraphs, which may include sensitive data or configuration details [1][2].
The impact is the unauthorized disclosure of internal paragraph information, potentially leading to further attacks. The Apache security team rated this as moderate severity [2].
Mitigation is straightforward: users should upgrade to Apache Zeppelin 0.12.0, which includes a server-side Origin check for WebSocket connections as implemented in pull request #4823 [3]. No workarounds are documented.
AI Insight generated on May 19, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.zeppelin:zeppelin-shellMaven | >= 0.11.1, < 0.12.0 | 0.12.0 |
Affected products
2- Apache Software Foundation/Apache Zeppelinv5Range: 0.11.1
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
4- github.com/apache/zeppelin/pull/4823ghsapatchWEB
- github.com/advisories/GHSA-xg8j-j6vp-6h5wghsaADVISORY
- nvd.nist.gov/vuln/detail/CVE-2024-51775ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/08/03/5ghsaWEB
News mentions
0No linked articles in our index yet.