Resource exhaustion in Apache Software Foundation Cassandra

CVE-2026-32588

Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.

Vulnerability class: DoS (Denial of Service)

EPSS: 0.001 (21.9th percentile) — read the EPSS interpretation.

Affected products

Apache Software Foundation Cassandra — versions 4.0, 4.1, 5.0

Weakness classification (CWE)

CWE-400 — Uncontrolled Resource Consumption

References

lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc (vendor-advisory)