AZL-66675

See a problem?

Import Source

https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66675.json

JSON Data

https://api.osv.dev/v1/vulns/AZL-66675

Upstream

CVE-2025-26467

Published

2025-08-25T14:15:30Z

Modified

2026-04-21T04:37:57.016234Z

Summary

CVE-2025-26467 affecting package cassandra 4.0.10-1

Details

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An user with MODIFY permission ON ALL KEYSPACES can escalate privileges to superuser within a targeted Cassandra cluster via unsafe actions to a system resource. Operators granting data MODIFY permission on all keyspaces on affected versions should review data access rules for potential breaches.

This issue affects Apache Cassandra 3.0.30, 3.11.17, 4.0.16, 4.1.7, 5.0.2, but this advisory is only for 4.0.16 because the fix to CVE-2025-23015 was incorrectly applied to 4.0.16, so that version is still affected.

Users in the 4.0 series are recommended to upgrade to version 4.0.17 which fixes the issue. Users from 3.0, 3.11, 4.1 and 5.0 series should follow recommendation from CVE-2025-23015.

References

https://nvd.nist.gov/vuln/detail/CVE-2025-26467

Affected packages

Azure Linux:2 / cassandra

Package

Name: cassandra
Purl: pkg:rpm/azure-linux/cassandra

Affected ranges

Type: ECOSYSTEM
Events: Introduced

0Unknown introduced version / All previous versions are affected

Last affected

4.0.10-1

Database specific

source

"https://github.com/microsoft/AzureLinuxVulnerabilityData/blob/main/osv/AZL-66675.json"