oss-sec mailing list archives

CASSANDRA-21202: CVE-2026-32588: Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing

From: Michael Semb Wever <mck () apache org>
Date: Tue, 07 Apr 2026 13:57:54 +0000

Severity: low 

Affected versions:

- Apache Cassandra (org.apache.cassandra:cassandra-all) 4.0 through 4.0.19
- Apache Cassandra (org.apache.cassandra:cassandra-all) 4.1 through 4.1.10
- Apache Cassandra (org.apache.cassandra:cassandra-all) 5.0 through 5.0.6

Description:

Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via 
repeated password changes.
Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.

Credit:

Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences (reporter)

References:

https://cassandra.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-32588

Current thread:

CASSANDRA-21202: CVE-2026-32588: Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing Michael Semb Wever (Apr 07)