{"dataType": "CVE_RECORD", "dataVersion": "5.2", "cveMetadata": {"cveId": "CVE-2026-32588", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "state": "PUBLISHED", "assignerShortName": "apache", "dateReserved": "2026-03-12T13:36:03.338Z", "datePublished": "2026-04-07T16:42:52.361Z", "dateUpdated": "2026-04-09T14:43:57.808Z"}, "containers": {"cna": {"affected": [{"collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected", "packageName": "org.apache.cassandra:cassandra-all", "product": "Apache Cassandra", "vendor": "Apache Software Foundation", "versions": [{"lessThanOrEqual": "4.0.19", "status": "affected", "version": "4.0", "versionType": "semver"}, {"lessThanOrEqual": "4.1.10", "status": "affected", "version": "4.1", "versionType": "semver"}, {"lessThanOrEqual": "5.0.6", "status": "affected", "version": "5.0", "versionType": "semver"}]}], "credits": [{"lang": "en", "type": "reporter", "value": "Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences"}], "descriptions": [{"lang": "en", "supportingMedia": [{"base64": false, "type": "text/html", "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.<br>Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue."}], "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.\nUsers are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue."}], "metrics": [{"other": {"content": {"text": "low"}, "type": "Textual description of severity"}}], "problemTypes": [{"descriptions": [{"cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption", "lang": "en", "type": "CWE"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-07T16:42:52.361Z"}, "references": [{"tags": ["vendor-advisory"], "url": "https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc"}], "source": {"advisory": "CASSANDRA-21202", "discovery": "EXTERNAL"}, "title": "Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing", "x_generator": {"engine": "Vulnogram 0.2.0"}}, "adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/07/9"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T17:26:02.509Z"}}, {"metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"timestamp": "2026-04-09T14:43:30.429610Z", "id": "CVE-2026-32588", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "role": "CISA Coordinator", "version": "2.0.3"}}}], "title": "CISA ADP Vulnrichment", "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:43:57.808Z"}}]}}

{"dataType": "CVE_RECORD", "containers": {"adp": [{"title": "CVE Program Container", "references": [{"url": "http://www.openwall.com/lists/oss-security/2026/04/07/9"}], "providerMetadata": {"orgId": "af854a3a-2127-422b-91ae-364da2661108", "shortName": "CVE", "dateUpdated": "2026-04-07T17:26:02.509Z"}}, {"title": "CISA ADP Vulnrichment", "metrics": [{"cvssV3_1": {"scope": "UNCHANGED", "version": "3.1", "baseScore": 6.5, "attackVector": "NETWORK", "baseSeverity": "MEDIUM", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "integrityImpact": "NONE", "userInteraction": "NONE", "attackComplexity": "LOW", "availabilityImpact": "HIGH", "privilegesRequired": "LOW", "confidentialityImpact": "NONE"}}, {"other": {"type": "ssvc", "content": {"id": "CVE-2026-32588", "role": "CISA Coordinator", "options": [{"Exploitation": "none"}, {"Automatable": "no"}, {"Technical Impact": "partial"}], "version": "2.0.3", "timestamp": "2026-04-09T14:43:30.429610Z"}}}], "providerMetadata": {"orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "shortName": "CISA-ADP", "dateUpdated": "2026-04-09T14:43:51.402Z"}}], "cna": {"title": "Apache Cassandra: Authenticated DoS via ALTER ROLE Password Hashing", "source": {"advisory": "CASSANDRA-21202", "discovery": "EXTERNAL"}, "credits": [{"lang": "en", "type": "reporter", "value": "Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences"}], "metrics": [{"other": {"type": "Textual description of severity", "content": {"text": "low"}}}], "affected": [{"vendor": "Apache Software Foundation", "product": "Apache Cassandra", "versions": [{"status": "affected", "version": "4.0", "versionType": "semver", "lessThanOrEqual": "4.0.19"}, {"status": "affected", "version": "4.1", "versionType": "semver", "lessThanOrEqual": "4.1.10"}, {"status": "affected", "version": "5.0", "versionType": "semver", "lessThanOrEqual": "5.0.6"}], "packageName": "org.apache.cassandra:cassandra-all", "collectionURL": "https://repo.maven.apache.org/maven2/", "defaultStatus": "unaffected"}], "references": [{"url": "https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc", "tags": ["vendor-advisory"]}], "x_generator": {"engine": "Vulnogram 0.2.0"}, "descriptions": [{"lang": "en", "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.\nUsers are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.", "supportingMedia": [{"type": "text/html", "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.<br>Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.", "base64": false}]}], "problemTypes": [{"descriptions": [{"lang": "en", "type": "CWE", "cweId": "CWE-400", "description": "CWE-400 Uncontrolled Resource Consumption"}]}], "providerMetadata": {"orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "shortName": "apache", "dateUpdated": "2026-04-07T16:42:52.361Z"}}}, "cveMetadata": {"cveId": "CVE-2026-32588", "state": "PUBLISHED", "dateUpdated": "2026-04-09T14:43:57.808Z", "dateReserved": "2026-03-12T13:36:03.338Z", "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09", "datePublished": "2026-04-07T16:42:52.361Z", "assignerShortName": "apache"}, "dataVersion": "5.2"}

{"cveTags": [], "descriptions": [{"lang": "en", "value": "Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes.\nUsers are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue."}], "id": "CVE-2026-32588", "lastModified": "2026-04-09T15:16:09.710", "metrics": {"cvssMetricV31": [{"cvssData": {"attackComplexity": "LOW", "attackVector": "NETWORK", "availabilityImpact": "HIGH", "baseScore": 6.5, "baseSeverity": "MEDIUM", "confidentialityImpact": "NONE", "integrityImpact": "NONE", "privilegesRequired": "LOW", "scope": "UNCHANGED", "userInteraction": "NONE", "vectorString": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H", "version": "3.1"}, "exploitabilityScore": 2.8, "impactScore": 3.6, "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0", "type": "Secondary"}]}, "published": "2026-04-07T17:16:28.297", "references": [{"source": "security@apache.org", "url": "https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc"}, {"source": "af854a3a-2127-422b-91ae-364da2661108", "url": "http://www.openwall.com/lists/oss-security/2026/04/07/9"}], "sourceIdentifier": "security@apache.org", "vulnStatus": "Undergoing Analysis", "weaknesses": [{"description": [{"lang": "en", "value": "CWE-400"}], "source": "security@apache.org", "type": "Secondary"}]}

{"bugzilla": {"description": "Apache Cassandra: Apache Cassandra: Denial of Service via repeated password changes", "id": "2456105", "url": "https://bugzilla.redhat.com/show_bug.cgi?id=2456105"}, "csaw": false, "cvss3": {"cvss3_base_score": "4.3", "cvss3_scoring_vector": "CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:L", "status": "draft"}, "cwe": "CWE-770", "details": ["A flaw was found in Apache Cassandra. An authenticated user can exploit this vulnerability by repeatedly changing their password over the Cassandra Query Language (CQL). This action can significantly increase query latencies, leading to a Denial of Service (DoS) for the system."], "mitigation": {"lang": "en:us", "value": "Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability."}, "name": "CVE-2026-32588", "package_state": [{"cpe": "cpe:/a:redhat:jboss_data_grid:8", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat Data Grid 8"}, {"cpe": "cpe:/a:redhat:jboss_fuse:7", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat Fuse 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:7", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat JBoss Enterprise Application Platform 7"}, {"cpe": "cpe:/a:redhat:jboss_enterprise_application_platform:8", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat JBoss Enterprise Application Platform 8"}, {"cpe": "cpe:/a:redhat:jbosseapxp", "fix_state": "Fix deferred", "package_name": "cassandra-all", "product_name": "Red Hat JBoss Enterprise Application Platform Expansion Pack"}], "public_date": "2026-04-07T16:42:52Z", "references": ["https://www.cve.org/CVERecord?id=CVE-2026-32588\nhttps://nvd.nist.gov/vuln/detail/CVE-2026-32588\nhttp://www.openwall.com/lists/oss-security/2026/04/07/9\nhttps://issues.apache.org/jira/browse/CASSANDRA-21202\nhttps://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc"], "threat_severity": "Moderate"}