Skip to content
ProtocolPorts

Port reference

Port 9042 (TCP) – Apache Cassandra CQL

Default port for the Cassandra CQL native binary protocol used by clients and drivers.

tcpRegisteredCommonly attacked

Default state

Cassandra ships with the PasswordAuthenticator disabled and a default cassandra/cassandra superuser. Many instances listen on 0.0.0.0:9042 with no authentication, exposing all keyspaces.

Common attacks

  • Login with the default cassandra/cassandra superuser credentials
  • Unauthenticated CQL access to read or dump all keyspaces and tables
  • Data exfiltration and deletion of sensitive records
  • CQL injection from exposed application layers

Hardening

  • Enable PasswordAuthenticator and CassandraAuthorizer; change the default cassandra user
  • Bind rpc_address to a private interface; never expose 9042 to the internet
  • Require client-to-node TLS encryption
  • Firewall 9042 to application hosts; restrict JMX (7199) and inter-node (7000)
  • Keep Cassandra patched and audit access

nmap snippet

nmap -p9042 --script banner <target>

Replace <target> with the host or range you're authorized to scan.

What runs on port 9042?

Port 9042 is the default for the Apache Cassandra CQL native protocol, the binary interface that client drivers use to run CQL queries against a Cassandra cluster. Applications connect over 9042 to read and write rows in keyspaces and tables. Node-to-node traffic uses 7000 and JMX management uses 7199.

Why it matters for security

Cassandra ships with the PasswordAuthenticator disabled and a well-known default superuser, cassandra/cassandra. When 9042 is reachable with auth off or default credentials, anyone can run CQL to read, dump, or delete every keyspace. Cassandra often stores large volumes of user and event data, so an open instance is a direct data-breach risk.

How it's attacked

Attackers scan for open 9042 and either connect without authentication or log in with cassandra/cassandra. They enumerate keyspaces, exfiltrate sensitive tables, and may delete data. Where the database backs an application, CQL injection can also be used to extract or manipulate records.

Hardening checklist

Enable the PasswordAuthenticator and CassandraAuthorizer, replace the default cassandra superuser, and use least-privilege roles. Bind rpc_address to a private interface, require client-to-node TLS, and firewall 9042 to application hosts. Restrict inter-node 7000 and JMX 7199 to trusted networks. Patch regularly and audit access. Use the nmap snippet above to detect exposed instances on hosts you are authorized to test.

Related ports

Port 7000Port 9200Port 27017Port 6379

Frequently asked questions

What is the default Cassandra login?
Cassandra ships with a default superuser cassandra/cassandra and authentication often disabled. Always enable PasswordAuthenticator, create least-privilege roles, and replace the default account before exposing the database.
Which Cassandra ports should never be public?
Keep 9042 (CQL) behind a firewall, and never expose inter-node port 7000 or the JMX port 7199 to untrusted networks, since they allow node and JVM control.