Spring Boot's Cassandra SSL auto-configuration disables TLS hostname verification
Moderate severity
GitHub Reviewed
Published
Apr 28, 2026
to the GitHub Advisory Database
•
Updated May 6, 2026
Package
Affected versions
>= 4.0.0, < 4.0.6
>= 3.5.0, < 3.5.14
>= 3.4.0, <= 3.4.15
>= 3.3.0, <= 3.3.18
<= 2.7.32
Patched versions
4.0.6
3.5.14
Description
Published by the National Vulnerability Database
Apr 28, 2026
Published to the GitHub Advisory Database
Apr 28, 2026
Reviewed
May 6, 2026
Last updated
May 6, 2026
Spring Boot's Cassandra auto-configuration does not perform hostname verification when establishing an SSL connection to Cassandra.
Affected: Spring Boot 4.0.0–4.0.5 (fix 4.0.6), 3.5.0–3.5.13 (fix 3.5.14), 3.4.0–3.4.15 (fix 3.4.16), 3.3.0–3.3.18 (fix 3.3.19), 2.7.0–2.7.32 (fix 2.7.33); Cassandra SSL auto-configuration. Versions that are no longer supported are also affected per vendor advisory.
References