CASSANDRA-21202: CVE-2026-32588: Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing

Michael Semb Wever Tue, 07 Apr 2026 07:00:29 -0700

Severity: low 

Affected versions:


- Apache Cassandra (org.apache.cassandra:cassandra-all) 4.0 through 4.0.19
- Apache Cassandra (org.apache.cassandra:cassandra-all) 4.1 through 4.1.10
- Apache Cassandra (org.apache.cassandra:cassandra-all) 5.0 through 5.0.6

Description:

Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows 
authenticated user to raise query latencies via repeated password changes.
Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes 
this issue.

Credit:

Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences 
(reporter)

References:

https://cassandra.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-32588

CASSANDRA-21202: CVE-2026-32588: Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing

Reply via email to