CVE-2025-24860

Summary

CVE-2025-24860 is an Incorrect Authorization vulnerability impacting Apache Cassandra. This issue allows users to access datacenter or IP/CIDR groups they should not be authorized for when employing CassandraNetworkAuthorizer or CassandraCIDRAuthorizer. Users with restricted data center access can manipulate their own permissions via Data Control Language (DCL) statements on affected versions (4.0.0 through 4.0.15 for CassandraNetworkAuthorizer, and 4.1.0 through 4.1.7, as well as 5.0.0 through 5.0.2 for both CassandraNetworkAuthorizer and CassandraCIDRAuthorizer). Operators using these authorizers are advised to review their data access rules for potential breaches. Users should upgrade to the fixed versions (4.0.16, 4.1.8, and 5.0.3) to mitigate this vulnerability.

Prevent cyber attacks with Recorded Future by prioritizing and patching critical vulnerabilities being exploited by threat actors targeting your industry. Book your demo to learn more.