Description
Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.
Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.
Published: 2026-04-07
Score: 6.5 Medium
EPSS: < 1% Very Low
KEV: No
Impact: Denial of Service
Action: Patch Now
AI Analysis

Impact

Authenticated users can repeatedly change their passwords, causing Cassandra to perform costly hashing for each change. This repeated computation increases query latencies and can degrade overall cluster performance, ultimately leading to a denial of service for legitimate users. The vulnerability reflects uncontrolled resource consumption and unbounded allocation of resources.

Affected Systems

Apache Cassandra releases 4.0, 4.1, and 5.0 are vulnerable. The issue is fixed in releases 4.0.20, 4.1.11, and 5.0.7, so upgrading to those versions removes the flaw.

Risk and Exploitability

The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1 % suggests that exploitation is unlikely in the wild. Exploitation requires valid credentials or an already compromised account; once authenticated, an attacker can submit many password change requests to inflate cluster latency. The vulnerability is not currently listed in the CISA KEV catalog, but the combination of moderate severity and authenticated access warrants timely remediation or mitigation.

Generated by OpenCVE AI on April 9, 2026 at 17:31 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Cassandra to version 4.0.20, 4.1.11, or 5.0.7 to remove the flaw.
  • If an upgrade cannot be applied immediately, limit ALTER ROLE permissions to trusted accounts to reduce the ability to trigger repeated password changes.

Generated by OpenCVE AI on April 9, 2026 at 17:31 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qffm-gf3j-6mvg Apache Cassandra has an authenticated DoS over CQL
History

Wed, 15 Apr 2026 16:00:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*

Thu, 09 Apr 2026 15:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

 ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

cvssV3_1

{'score': 6.5, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H'}

Thu, 09 Apr 2026 00:15:00 +0000

Type Values Removed Values Added
Weaknesses CWE-770
References
Metrics threat_severity

None

 cvssV3_1

{'score': 4.3, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L'}

threat_severity

Moderate

Wed, 08 Apr 2026 20:15:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache cassandra
Vendors & Products Apache
Apache cassandra

Tue, 07 Apr 2026 20:45:00 +0000

Type Values Removed Values Added
References

Tue, 07 Apr 2026 18:00:00 +0000

Type Values Removed Values Added
Description Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.
Title Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing
Weaknesses CWE-400
References

Subscriptions

Apache Cassandra
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-04-09T14:43:57.808Z

Reserved: 2026-03-12T13:36:03.338Z

Link: CVE-2026-32588

cve-icon Vulnrichment

Updated: 2026-04-07T17:26:02.509Z

cve-icon NVD

Status : Analyzed

Published: 2026-04-07T17:16:28.297

Modified: 2026-04-15T15:45:40.473

Link: CVE-2026-32588

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-04-07T16:42:52Z

Links: CVE-2026-32588 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-10T09:41:26Z

Weaknesses