Apache Cassandra: CassandraNetworkAuthorizer and CassandraCIDRAuthorizer can be bypassed allowing access to different network regions
Description
Incorrect Authorization vulnerability in Apache Cassandra allowing users to access a datacenter or IP/CIDR groups they should not be able to when using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer.
Users with restricted data center access can update their own permissions via data control language (DCL) statements on affected versions.
This issue affects Apache Cassandra: from 4.0.0 through 4.0.15 and from 4.1.0 through 4.1.7 for CassandraNetworkAuthorizer, and from 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer.
Operators using CassandraNetworkAuthorizer or CassandraCIDRAuthorizer on affected versions should review data access rules for potential breaches. Users are recommended to upgrade to versions 4.0.16, 4.1.8, 5.0.3, which fixes the issue.
AI Insight
LLM-synthesized narrative grounded in this CVE's description and references.
Apache Cassandra's network authorizers allow users with restricted access to escalate privileges via DCL statements, bypassing datacenter or IP/CIDR restrictions.
Vulnerability
Overview
CVE-2025-24860 is an incorrect authorization vulnerability in Apache Cassandra's CassandraNetworkAuthorizer and CassandraCIDRAuthorizer. These components are designed to restrict user access to specific datacenters or IP/CIDR groups, but a flaw allows users with restricted permissions to bypass these controls. The root cause lies in how permission updates are handled: users can modify their own permissions using Data Control Language (DCL) statements, effectively granting themselves access to network regions they should not be able to reach [1][3].
Exploitation
An attacker who already has a limited Cassandra account (e.g., restricted to a single datacenter) can exploit this vulnerability by issuing DCL statements to alter their own authorization rules. No additional authentication or network position is required beyond the initial credentials. The attack surface is internal to the Cassandra cluster, as the authorizer checks are performed server-side when processing DCL commands [3].
Impact
Successful exploitation allows an attacker to gain unauthorized access to other datacenters or IP/CIDR groups within the same Cassandra cluster. This could lead to data exposure, privilege escalation, or lateral movement within the cluster, depending on the network segmentation and data sensitivity [1].
Mitigation
Apache has released fixed versions: 4.0.16, 4.1.8, and 5.0.3. Operators using affected versions (4.0.0–4.0.15, 4.1.0–4.1.7, 5.0.0–5.0.2) should upgrade immediately. As a workaround, administrators should review existing data access rules for potential breaches and consider restricting DCL permissions for untrusted users [1][3].
AI Insight generated on May 20, 2026. Synthesized from this CVE's description and the cited reference URLs; citations are validated against the source bundle.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cassandra:cassandra-allMaven | >= 4.0-alpha1, < 4.0.16 | 4.0.16 |
org.apache.cassandra:cassandra-allMaven | >= 4.1-alpha1, < 4.1.8 | 4.1.8 |
org.apache.cassandra:cassandra-allMaven | >= 5.0-alpha1, < 5.0.3 | 5.0.3 |
Affected products
4- osv-coords2 versions
>= 4.0.0, < 4.0.16+ 1 more
- (no CPE)range: >= 4.0.0, < 4.0.16
- (no CPE)range: >= 4.0-alpha1, < 4.0.16
- Apache Software Foundation/Apache Cassandrav5Range: 4.0.0
Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- github.com/advisories/GHSA-3cjf-fwcq-xh22ghsaADVISORY
- lists.apache.org/thread/yjo5on4tf7s1r9qklc4byrz30b8vkm2dghsavendor-advisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2025-24860ghsaADVISORY
- www.openwall.com/lists/oss-security/2025/02/03/3ghsaWEB
- security.netapp.com/advisory/ntap-20250214-0005ghsaWEB
News mentions
0No linked articles in our index yet.