Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Primary rating from NVD · only source for this CVE.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
4DescriptionCVE.org
Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY.
Users are recommended to upgrade to version 5.0.7+, which fixes this issue.
AnalysisAI
Apache Cassandra 5.0 through 5.0.6 in mTLS environments using MutualTlsAuthenticator allows authenticated users with only CREATE permission to escalate privileges to superuser via certificate identity manipulation through the ADD IDENTITY command. CVSS 8.8 reflects high impact across confidentiality, integrity, and availability. No public exploit identified at time of analysis, with SSVC indicating non-automatable exploitation but total technical impact. Apache released patch version 5.0.7+ addressing this privilege escalation flaw (CWE-267: Privilege Defined With Unsafe Actions).
Technical ContextAI
Apache Cassandra is a distributed NoSQL database system. This vulnerability affects deployments using mutual TLS (mTLS) authentication with the MutualTlsAuthenticator component, which binds X.509 certificate identities to database roles. The flaw (CWE-267: Privilege Defined With Unsafe Actions) stems from insufficient authorization checks in the ADD IDENTITY operation. The MutualTlsAuthenticator is designed to map client certificates to internal Cassandra roles for access control, but versions 5.0 through 5.0.6 fail to validate that users adding certificate identities have appropriate privileges. This allows an attacker with minimal CREATE permission to associate their certificate with any role, including SUPERUSER, effectively bypassing the entire role-based access control (RBAC) model in mTLS-enabled clusters. The vulnerability only manifests in environments where mTLS client authentication is configured, not in default username/password authentication setups.
RemediationAI
Upgrade immediately to Apache Cassandra version 5.0.7 or later, which contains fixes for the privilege escalation vulnerability. Organizations should prioritize patching for production clusters using mTLS authentication with MutualTlsAuthenticator, as this is the only affected configuration. During upgrade planning, audit existing certificate-to-role mappings to identify any unauthorized privilege associations created through exploitation of this vulnerability. If immediate patching is not feasible, temporary risk reduction can be achieved by restricting CREATE permission grants to only highly trusted users in mTLS environments, though this is not a complete mitigation. Review access logs for suspicious ADD IDENTITY operations, particularly those associating certificates with superuser or other high-privilege roles. Consult the official Apache Cassandra security advisory at https://lists.apache.org/thread/zrng82ddy4rpsmfyk582v6hqxcqrbz7f for detailed upgrade instructions and additional security guidance. No workarounds fully address the vulnerability; patching to 5.0.7+ is the definitive remediation.
Same weakness CWE-267 – Privilege Defined With Unsafe Actions
View allSame technique Privilege Escalation
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19761
GHSA-qxpc-96fq-wwmg