Questions on CEP-21

[Long Pan]

Hey Sam,

*The improvements in CEP-21

look awesome.* I am currently running Cassandra 4.1 and plan to upgrade to
5.x in the future, where CEP-21 has been implemented. I have a few
questions:

   1.

   I am using the single-token architecture, where operators set the token
   for every node by explicitly configuring the initial_token field in
   cassandra.yaml. There should be no conflict between this setup and
   CEP-21, correct? My understanding suggests it is compatible, but I’d like
   to confirm it to be safe.
   2.

   In the CEP, you provided a detailed explanation and examples of the
   bootstrap and decommission flows (link
   
).
   Would you mind extending this to cover the flow for node replacement as
   well?
   3.

   Since the Cassandra Management System (CMS) holds the source of truth
   for cluster topology, will there be a nodetool command to query CMS
   directly for this information? As operators, we often need to retrieve
   topology details, such as which nodes are leaving, live, joining, moving,
   or unreachable. Currently, this information is obtained via a JMX call to
   org.apache.cassandra.db:type=StorageService, which is gossip-backed.
   However, gossip mismatches can lead to non-deterministic results across
   nodes.

Thanks, and I appreciate your insights!

Best,
Long

CVE-2025-26467: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only)

[Paulo Motta]

Severity: moderate

Affected versions:

- Apache Cassandra 4.0.16

Description:

Privilege Defined With Unsafe Actions vulnerability in Apache Cassandra. An 
user with MODIFY permission ON ALL KEYSPACES can escalate privileges to 
superuser within a targeted Cassandra cluster via unsafe actions to a system 
resource. Operators granting data MODIFY permission on all keyspaces on 
affected versions should review data access rules for potential breaches.



This issue affects Apache Cassandra 3.0.30, 3.11.17, 4.0.16, 4.1.7, 5.0.2, but 
this advisory is only for 4.0.16 because the fix to CVE-2025-23015 was 
incorrectly applied to 4.0.16, so that version is still affected.

Users in the 4.0 series are recommended to upgrade to version 4.0.17 which 
fixes the issue. Users from 3.0, 3.11, 4.1 and 5.0 series should follow 
recommendation from CVE-2025-23015.

Credit:

Adam Pond of Apple Services Engineering Security (finder)
Ali Mirheidari of Apple Services Engineering Security (finder)
Terry Thibault of Apple Services Engineering Security (finder)
Will Brattain of Apple Services Engineering Security (finder)

References:

https://cassandra.apache.org/
https://www.cve.org/CVERecord?id=CVE-2025-26467