Plattform
apache
Komponente
apache-cassandra
Behoben in
4.0.20
4.1.11
5.0.7
CVE-2026-32588 describes a Denial of Service (DoS) vulnerability affecting Apache Cassandra versions 4.0.0 through 5.0.6. An authenticated user can repeatedly change their password, causing significant increases in query latency and potentially disrupting service. Affected versions include Cassandra 4.0.x, 4.1.x, and 5.0.x. A fix is available in versions 4.0.20, 4.1.11, and 5.0.7.
This vulnerability allows an authenticated user to induce a denial of service condition within an Apache Cassandra cluster. By repeatedly changing their password, an attacker can trigger a cascade of operations that significantly increase query latency for all users. This can lead to application timeouts, service degradation, and potentially a complete outage. The impact is particularly severe in production environments with high query loads, as even a small number of malicious users could disrupt the entire cluster. While requiring authentication, the ease of password changes makes this a relatively low-effort attack vector.
This vulnerability was publicly disclosed on April 7, 2026. It is not currently listed on the CISA KEV catalog. Public proof-of-concept exploits are not widely available, suggesting a low probability of immediate widespread exploitation. However, the ease of exploitation and the potential for disruption warrant prompt patching.
Organizations running Apache Cassandra versions 4.0.0 through 5.0.6 are at risk, particularly those with a large number of users or applications relying on Cassandra for data storage. Shared hosting environments where multiple users have access to the Cassandra instance are also at increased risk.
• apache: Monitor Cassandra query latency using built-in metrics or external monitoring tools. Look for sudden and sustained increases in latency following password change events.
# Check Cassandra query latency using nodetool
nodetool cfstats | grep 'Read latency'• apache: Examine Cassandra system logs for excessive password change requests originating from a single user or IP address.
# Filter Cassandra logs for password change events
zookeeper.log | grep 'Password changed for user'disclosure
Exploit-Status
EPSS
0.04% (13% Perzentil)
The primary mitigation is to upgrade to a patched version of Apache Cassandra. Versions 4.0.20, 4.1.11, and 5.0.7 contain the fix. If immediate upgrade is not possible, consider implementing rate limiting on password change requests to reduce the frequency of triggering the vulnerability. Monitoring Cassandra query latency is crucial; unusual spikes should be investigated immediately. While a WAF cannot directly prevent this, it could be configured to detect and block suspicious patterns of password change requests. After upgrading, confirm the fix by simulating password changes and verifying that query latency remains within acceptable bounds.
Actualice Apache Cassandra a la versión 4.0.20, 4.1.11 o 5.0.7 para mitigar la vulnerabilidad. Esta actualización corrige un problema que permite a un usuario autenticado causar una denegación de servicio (DoS) mediante cambios repetidos de contraseñas de roles.
Schwachstellenanalysen und kritische Warnungen direkt in deinen Posteingang.
CVE-2026-32588 is a Denial of Service vulnerability in Apache Cassandra versions 4.0.0–5.0.6 where authenticated users can trigger query latency spikes by repeatedly changing their passwords.
You are affected if you are running Apache Cassandra versions 4.0.0 through 5.0.6. Upgrade to 4.0.20, 4.1.11, or 5.0.7 to mitigate the risk.
Upgrade to a patched version of Apache Cassandra: 4.0.20, 4.1.11, or 5.0.7. Consider rate limiting password changes as a temporary workaround.
There is no confirmed active exploitation of CVE-2026-32588 at this time, but the ease of exploitation warrants prompt patching.
Refer to the Apache Cassandra security advisories on the Apache project website for the latest information: https://cassandra.apache.org/security/
Lade deine Abhängigkeitsdatei hoch und erfahre sofort, ob dich diese und andere CVEs treffen.