{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32588", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-12T13:36:03.338Z", "datePublished": "2026-04-07T16:42:52.361Z", "dateUpdated": "2026-04-09T14:43:57.808Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "org.apache.cassandra:cassandra-all", "product": "Apache Cassandra", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "4.0.19", "status": "affected", "version": "4.0", "versionType": "semver"}, {"lessThanOrEqual": "4.1.10", "status": "affected", "version": "4.1", "versionType": "semver"}, {"lessThanOrEqual": "5.0.6", "status": "affected", "version": "5.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.<br>Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue."}], "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.\nUsers are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-07T16:42:52.361Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc"}], "source": {"advisory": "CASSANDRA-21202", "discovery": "EXTERNAL"}, "title": "Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/07/9"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T17:26:02.509Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:43:30.429610Z", "id": "CVE-2026-32588", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:43:57.808Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/07/9"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T17:26:02.509Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32588", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:43:30.429610Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:43:51.402Z"}}], "cna": {"title": "Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing", "source": {"advisory": "CASSANDRA-21202", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Cassandra", "versions": [{"status": "affected", "version": "4.0", "versionType": "semver", "lessThanOrEqual": "4.0.19"}, {"status": "affected", "version": "4.1", "versionType": "semver", "lessThanOrEqual": "4.1.10"}, {"status": "affected", "version": "5.0", "versionType": "semver", "lessThanOrEqual": "5.0.6"}], "packageName": "org.apache.cassandra:cassandra-all", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.\nUsers are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.", "supportingMedia": [{"type": "text/html", "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.<br>Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-07T16:42:52.361Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32588", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:43:57.808Z", "dateReserved": "2026-03-12T13:36:03.338Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-07T16:42:52.361Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.\nUsers are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue."}], "id": "CVE-2026-32588", "lastModified": "2026-04-09T15:16:09.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T17:16:28.297", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/07/9"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Cassandra: Apache Cassandra: Denial of Service via repeated password changes", "id": "2456105", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456105"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Apache Cassandra. An authenticated user can exploit this vulnerability by repeatedly changing their password over the Cassandra Query Language (CQL). This action can significantly increase query latencies, leading to a Denial of Service (DoS) for the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32588", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-04-07T16:42:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32588\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32588\nhttp://www.openwall.com/lists/oss-security/2026/04/07/9\nhttps://issues.apache.org/jira/browse/CASSANDRA-21202\nhttps://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc"], "threat_severity": "Moderate"}

{"affected": [{"configurations": [{"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.0,4.0.19]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[4.1,4.1.10]"}}, {"platform": null, "status": "affected", "versions": {"scheme": "semver", "value": "[5.0,5.0.6]"}}], "enrichment": {"confidence": 95.0, "confidence_source": "inferred", "scores": [{"score": 95.0, "source": "inferred"}, {"score": 100.0, "source": "matching"}]}, "original": {"product": "Apache Cassandra", "source": "cna", "vendor": "Apache Software Foundation"}, "product": "cassandra", "vendor": "apache"}], "analysis": {"en": {"generated_at": "2026-04-09T17:31:25.257584+00:00", "value": {"mitigation_remediation": ["Upgrade Apache Cassandra to version 4.0.20, 4.1.11, or 5.0.7 to remove the flaw.", "If an upgrade cannot be applied immediately, limit ALTER\u00a0ROLE permissions to trusted accounts to reduce the ability to trigger repeated password changes."], "summary": {"action": "Patch Now", "impact": "Denial of Service"}, "threat_synthesis": {"affected_systems": "Apache Cassandra releases 4.0, 4.1, and 5.0 are vulnerable. The issue is fixed in releases 4.0.20, 4.1.11, and 5.0.7, so upgrading to those versions removes the flaw.", "description_and_impact": "Authenticated users can repeatedly change their passwords, causing Cassandra to perform costly hashing for each change. This repeated computation increases query latencies and can degrade overall cluster performance, ultimately leading to a denial of service for legitimate users. The vulnerability reflects uncontrolled resource consumption and unbounded allocation of resources.", "risk_and_exploitability": "The CVSS score of 6.5 indicates moderate severity, while the EPSS score of less than 1\u202f% suggests that exploitation is unlikely in the wild. Exploitation requires valid credentials or an already compromised account; once authenticated, an attacker can submit many password change requests to inflate cluster latency. The vulnerability is not currently listed in the CISA KEV catalog, but the combination of moderate severity and authenticated access warrants timely remediation or mitigation."}}}}, "created": "2026-04-08T19:36:42.635378+00:00", "updated": "2026-04-10T09:41:26.183224+00:00", "vendors": ["apache", "apache$PRODUCT$cassandra"]}