{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32588", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-12T13:36:03.338Z", "datePublished": "2026-04-07T16:42:52.361Z", "dateUpdated": "2026-04-07T17:26:02.509Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "org.apache.cassandra:cassandra-all", "product": "Apache Cassandra", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "4.0.19", "status": "affected", "version": "4.0", "versionType": "semver"}, {"lessThanOrEqual": "4.1.10", "status": "affected", "version": "4.1", "versionType": "semver"}, {"lessThanOrEqual": "5.0.6", "status": "affected", "version": "5.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.<br>Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue."}], "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.\nUsers are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-07T16:42:52.361Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc"}], "source": {"advisory": "CASSANDRA-21202", "discovery": "EXTERNAL"}, "title": "Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/07/9"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T17:26:02.509Z"}}]}}

{}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.\nUsers are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue."}], "id": "CVE-2026-32588", "lastModified": "2026-04-08T21:27:00.663", "metrics": {}, "published": "2026-04-07T17:16:28.297", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/07/9"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Awaiting Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Cassandra: Apache Cassandra: Denial of Service via repeated password changes", "id": "2456105", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456105"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Apache Cassandra. An authenticated user can exploit this vulnerability by repeatedly changing their password over the Cassandra Query Language (CQL). This action can significantly increase query latencies, leading to a Denial of Service (DoS) for the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32588", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-04-07T16:42:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32588\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32588\nhttp://www.openwall.com/lists/oss-security/2026/04/07/9\nhttps://issues.apache.org/jira/browse/CASSANDRA-21202\nhttps://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0,4.0.19]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.1,4.1.10]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0,5.0.6]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Cassandra", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "cassandra", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-07T22:07:58.220442+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Cassandra to version 4.0.20, 4.1.11, or 5.0.7, ensuring that all nodes in the cluster receive the update.", "Restart affected Cassandra services after the upgrade to apply the new configuration."], "summary": {"action": "Patch Upgrade", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "The vulnerability impacts Apache Software Foundation\u2019s Apache Cassandra versions 4.0, 4.1, and 5.0. Users running any of these releases should check their current patch level. The issue was fixed in Cassandra 4.0.20, 4.1.11, and 5.0.7, so those versions provide the necessary mitigation.", "description_and_impact": "A flaw in Apache Cassandra causes a denial\u2011of\u2011service when an authenticated user repeatedly issues ALTER ROLE commands that change password hashing. Each password change forces the database to rehash the password string, which can drastically increase query latency. The weakness is a resource depletion flaw identified as CWE\u2011400, allowing an attacker to exhaust server resources and degrade performance for legitimate users.", "risk_and_exploitability": "The flaw requires an attacker to be authenticated with an account that has permission to alter role passwords, so initial compromise or legitimate credentials are prerequisites. EPSS data is unavailable and the vulnerability is not listed in the CISA KEV catalog, but the lack of a public exploit combined with the high impact of performance degradation suggests a moderate to high risk, especially for production environments where Cassandra is critical. The likely attack vector is through CQL traffic to the database, which, if exploitable, can be performed remotely over the network. Timely patching is therefore essential to reduce exploitation likelihood and protect service availability."}}}}, "created": "2026-04-08T19:36:42.635378+00:00", "updated": "2026-04-08T19:47:46.029303+00:00", "vendors": ["apache", "apache$PRODUCT$cassandra"]}