Primary

Context

Spring Boot Cassandra SSL Hostname Verification Vulnerability

Vulnerability

Patched

A vulnerability exists in Spring Boot's Cassandra auto-configuration, where hostname verification is not performed when establishing an SSL connection to Cassandra. This issue affects Spring Boot versions 4.0.0 through 4.0.5, 3.5.0 through 3.5.13, 3.4.0 through 3.4.15, 3.3.0 through 3.3.18, and 2.7.0 through 2.7.32. Additionally, versions no longer supported are also affected.

Impact

The lack of hostname verification in SSL connections to Cassandra could allow for man-in-the-middle attacks, where an attacker could intercept or alter the communication between Spring Boot and the Cassandra database.

Remediation

Users should upgrade to Spring Boot version 4.0.6, 3.5.14, 3.4.16 (Enterprise Support Only), 3.3.19 (Enterprise Support Only), or 2.7.33 (Enterprise Support Only), depending on their current version.

Added: Apr 28, 2026, 12:31 AM

Updated: Apr 28, 2026, 12:31 AM

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

6.4

remediation

7.7

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

7.6

impact

5.0

exploitability

6.4

remediation

7.7

relevance

6.9

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Spring Boot Cassandra SSL Hostname Verification Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Spring Boot

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating