CVE-2026-32588

CWE-400 — Uncontrolled Resource Consumption CWE-770 — Allocation without Limits8 documents7 sources

Severity

6.5MEDIUM

EPSS

0.0%

top 86.58%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Apache Software Foundation Apache Cassandra

Timeline

PublishedApr 7

Latest updateApr 8

Description

Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:HExploitability: 2.8 | Impact: 3.6

Affected Packages2 packages

▶Mavenorg.apache.cassandra:cassandra-all4.0 — 4.0.20+2

▶CVEListV5apache_software_foundation/apache_cassandra4.0 — 4.0.19+2

🔴Vulnerability Details

CVEList

Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing↗2026-04-07

▶

GHSA

Apache Cassandra has an authenticated DoS over CQL↗2026-04-07

▶

OSV

Apache Cassandra has an authenticated DoS over CQL↗2026-04-07

▶

📋Vendor Advisories

Red Hat

Apache Cassandra: Apache Cassandra: Denial of Service via repeated password changes↗2026-04-07

▶

🕵️Threat Intelligence

Wiz

CVE-2026-32588 Impact, Exploitability, and Mitigation Steps | Wiz↗

▶

💬Community

Bugzilla

CVE-2026-32588 log4j: Apache Cassandra: Denial of Service via repeated password changes [fedora-all]↗2026-04-08

▶

Bugzilla

CVE-2026-32588 Apache Cassandra: Apache Cassandra: Denial of Service via repeated password changes↗2026-04-07

▶