Free practical cybersecurity guidance for organisations without a security team.
hello@actionsoncyber.com
← Back to Vulnerability Briefs

Important Security Flaw in Apache Cassandra Web Plugin Could Expose Sensitive Files

A serious security weakness has been found in a web plugin used with Apache Cassandra databases. This flaw could let attackers access sensitive files and database credentials without needing a password, which could lead to data breaches.

07 June 2026

Reference: CVE-2020-36939

1. What is being reported?

The vulnerability is in the Cassandra Web 0.5.0 plugin, where attackers can trick the system into reading files they shouldn’t be able to see by manipulating certain web requests. This happens because a security feature called Rack::Protection is turned off, allowing unauthorised access to important system files and database passwords.

2. What this means in plain English

If your organisation uses this plugin, attackers could potentially steal sensitive information such as user details or database access credentials. This could lead to data loss, disruption of services, or further attacks on your systems.

3. Could this affect a small business?

Small businesses or charities using Apache Cassandra with this specific web plugin version could be at risk. If you don’t use this software or plugin, this vulnerability probably does not affect you. It’s best to check with your IT provider to be sure.

4. What to do now

  • Check if your organisation uses Apache Cassandra with the Cassandra Web 0.5.0 plugin.
  • Ask your IT provider if the Rack::Protection module is disabled and if this vulnerability applies to your setup.
  • Apply any available updates or patches from your software supplier to fix this issue.
  • Limit access to your database and monitor for any unusual activity until the issue is resolved.

5. Ask your IT provider

Can you confirm whether our Apache Cassandra setup uses the Cassandra Web 0.5.0 plugin, if Rack::Protection is disabled, and what steps are being taken to protect us from CVE-2020-36939?

6. Bottom line

If you use this plugin, act quickly to check and secure your systems to prevent unauthorised access to sensitive data.

Information based on NVD, CISA KEV, and reputable security reporting.

Back to Vulnerability Briefs