Medium severity6.5NVD Advisory· Published Apr 7, 2026· Updated Apr 15, 2026

CVE-2026-32588

Description

Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.

Affected packages

Versions sourced from the GitHub Security Advisory.

Package	Affected versions	Patched versions
org.apache.cassandra:cassandra-allMaven	>= 4.0, < 4.0.20	4.0.20
org.apache.cassandra:cassandra-allMaven	>= 4.1, < 4.1.11	4.1.11
org.apache.cassandra:cassandra-allMaven	>= 5.0, < 5.0.7	5.0.7

Affected products

Apache/Cassandra
cpe:2.3:a:apache:cassandra:*:*:*:*:*:*:*:*
Range: >=4.0.0,<4.0.20

Patches

No patches discovered yet.

Vulnerability mechanics

AI mechanics synthesis has not run for this CVE yet.

References

www.openwall.com/lists/oss-security/2026/04/07/9nvdMailing ListThird Party AdvisoryWEB
github.com/advisories/GHSA-qffm-gf3j-6mvgghsaADVISORY
lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrcnvdMailing ListVendor AdvisoryWEB
nvd.nist.gov/vuln/detail/CVE-2026-32588ghsaADVISORY

News mentions

Microsoft Patches 138 Vulnerabilities, Including DNS and Netlogon RCE Flaws
The Hacker News · May 13, 2026
Patch Tuesday - May 2026
Rapid7 Blog · May 13, 2026
It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight
Dark Reading · May 12, 2026
Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilities
Cisco Talos Intelligence · May 12, 2026
Microsoft May 2026 Patch Tuesday, (Tue, May 12th)
SANS Internet Storm Center · May 12, 2026
May 2026 Patch Tuesday: 30 Critical Vulnerabilities Among 130 CVEs
CrowdStrike Blog

cvss	0.423
epss	0.000
exploit	0.000
kev	0.000
patch	0.000
ransomware	0.000