Hazelcast

By the Year

In 2026 there have been 0 vulnerabilities in Hazelcast. Last year, in 2025 Hazelcast had 1 security vulnerability published. Right now, Hazelcast is on track to have less security vulnerabilities in 2026 than it did last year.

Recent Hazelcast Security Vulnerabilities

CVE	Date	Vulnerability	Products
CVE-2024-56518	Apr 17, 2025	Hazelcast Management Center 6.0 RCE via JndiLoginModule user.provider.url upload Hazelcast Management Center through 6.0 allows remote code execution via a JndiLoginModule user.provider.url in a hazelcast-client XML document (aka a client configuration file), which can be uploaded at the /cluster-connections URI.	Management Center
CVE-2023-45859	Feb 28, 2024	Hazelcast <=5.3.2 Permission Check Bypass Allows Authenticated Data Access In Hazelcast through 4.1.10, 4.2 through 4.2.8, 5.0 through 5.0.5, 5.1 through 5.1.7, 5.2 through 5.2.4, and 5.3 through 5.3.2, some client operations don't check permissions properly, allowing authenticated users to access data stored in the cluster.	Hazelcast
CVE-2023-45860	Feb 16, 2024	Hazelcast CSV Source Connector Permission Bypass <5.3.4 In Hazelcast Platform through 5.3.4, a security issue exists within the SQL mapping for the CSV File Source connector. This issue arises from inadequate permission checking, which could enable unauthorized clients to access data from files stored on a member's filesystem.	Hazelcast
CVE-2023-33265	Jul 18, 2023	Hazelcast 5.0.0-5.2.3 ExecSvc Perm Check Bypass In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, executor services don't check client permissions properly, allowing authenticated users to execute tasks on members without the required permissions granted.	Imdg Hazelcast
CVE-2023-33264	May 22, 2023	Hazelcast <=5.2.3 config leaks passwords in Management Center In Hazelcast through 5.0.4, 5.1 through 5.1.6, and 5.2 through 5.2.3, configuration routines don't mask passwords in the member configuration properly. This allows Hazelcast Management Center users to view some of the secrets.	Hazelcast
CVE-2022-36437	Dec 29, 2022	Remote Unauth Access via ConnectionHandler in Hazelcast 5.1.2 The Connection handler in Hazelcast and Hazelcast Jet allows a remote unauthenticated attacker to access and manipulate data in the cluster with the identity of another already authenticated connection. The affected Hazelcast versions are through 4.0.6, 4.1.9, 4.2.5, 5.0.3, and 5.1.2. The affected Hazelcast Jet versions are through 4.5.3.	Hazelcast Jet Hazelcast
CVE-2022-0265	Mar 03, 2022	Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1. Improper Restriction of XML External Entity Reference in GitHub repository hazelcast/hazelcast in 5.1-BETA-1.	Hazelcast
CVE-2020-26168	Nov 09, 2020	The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise 4.x before 4.0.3 The LDAP authentication method in LdapLoginModule in Hazelcast IMDG Enterprise 4.x before 4.0.3, and Jet Enterprise 4.x through 4.2, doesn't verify properly the password in some system-user-dn scenarios. As a result, users (clients/members) can be authenticated even if they provide invalid passwords.	Hazelcast Jet