Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing
Summary
| CVE | CVE-2026-32588 |
|---|---|
| State | PUBLISHED |
| Assigner | apache |
| Source Priority | CVE Program / NVD first with legacy fallback |
| Published | 2026-04-07 17:16:28 UTC |
| Updated | 2026-04-07 18:16:41 UTC |
| Description | Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue. |
Risk And Classification
Problem Types: CWE-400 | CWE-400 CWE-400 Uncontrolled Resource Consumption
Vendor Declared Affected Products
| Source | Vendor | Product | Version | Platforms |
|---|---|---|---|---|
| CNA | Apache Software Foundation | Apache Cassandra | affected 4.0 4.0.19 semver | Not specified |
| CNA | Apache Software Foundation | Apache Cassandra | affected 4.1 4.1.10 semver | Not specified |
| CNA | Apache Software Foundation | Apache Cassandra | affected 5.0 5.0.6 semver | Not specified |
References
| Reference | Source | Link | Tags |
|---|---|---|---|
| lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc | [email protected] | lists.apache.org | |
| www.openwall.com/lists/oss-security/2026/04/07/9 | af854a3a-2127-422b-91ae-364da2661108 | www.openwall.com | |
| CVE Program record | CVE.ORG | www.cve.org | canonical |
| NVD vulnerability detail | NVD | nvd.nist.gov | canonical, analysis |
Vendor Comments And Credit
Discovery Credit
CNA: Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences (en)
There are currently no legacy QID mappings associated with this CVE.