07 June 2026
Reference: CVE-2020-36939
1. What is being reported?
The vulnerability is in the Cassandra Web 0.5.0 plugin, where attackers can trick the system into reading files they shouldn’t be able to see by manipulating certain web requests. This happens because a security feature called Rack::Protection is turned off, allowing unauthorised access to important system files and database passwords.
2. What this means in plain English
If your organisation uses this plugin, attackers could potentially steal sensitive information such as user details or database access credentials. This could lead to data loss, disruption of services, or further attacks on your systems.
3. Could this affect a small business?
Small businesses or charities using Apache Cassandra with this specific web plugin version could be at risk. If you don’t use this software or plugin, this vulnerability probably does not affect you. It’s best to check with your IT provider to be sure.
4. What to do now
- Check if your organisation uses Apache Cassandra with the Cassandra Web 0.5.0 plugin.
- Ask your IT provider if the Rack::Protection module is disabled and if this vulnerability applies to your setup.
- Apply any available updates or patches from your software supplier to fix this issue.
- Limit access to your database and monitor for any unusual activity until the issue is resolved.
5. Ask your IT provider
Can you confirm whether our Apache Cassandra setup uses the Cassandra Web 0.5.0 plugin, if Rack::Protection is disabled, and what steps are being taken to protect us from CVE-2020-36939?
6. Bottom line
If you use this plugin, act quickly to check and secure your systems to prevent unauthorised access to sensitive data.
Information based on NVD, CISA KEV, and reputable security reporting.