CVE-2026-32588 — Apache Cassandra has an authenticated DoS over CQL

Description

Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.

How to fix CVE-2026-32588

To remediate CVE-2026-32588, upgrade the affected package to a fixed version below.

Maven/org.apache.cassandra:cassandra-all—upgrade to 4.0.20 or later

Is CVE-2026-32588 being exploited?

Low — EPSS is 0.1%, meaning exploitation activity has not been observed at scale.

Affected packages (1)

>= 4.0, < 4.0.20

CVSS scores

Source	Version	Severity	Vector
osv	CVSS 4.0	—	CVSS:4.0/AV:N/AC:L/AT:P/PR:L/UI:N/VC:N/VI:N/VA:L/SC:N/SI:N/SA:N

References (3)

ADVISORYnvd.nist.gov/vuln/detail/CVE-2026-32588
WEBlists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc
WEBwww.openwall.com/lists/oss-security/2026/04/07/9