Severity by source
AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:N/I:N/A:H
Lifecycle Timeline
4DescriptionCVE.org
Authenticated DoS over CQL in Apache Cassandra 4.0, 4.1, 5.0 allows authenticated user to raise query latencies via repeated password changes. Users are recommended to upgrade to version 4.0.20, 4.1.11, 5.0.7, which fixes this issue.
AnalysisAI
Authenticated denial of service via CQL in Apache Cassandra 4.0 through 5.0 allows authenticated users to elevate query latencies by repeatedly changing passwords, disrupting service availability for legitimate users. The vulnerability affects Cassandra 4.0.0-4.0.19, 4.1.0-4.1.10, and 5.0.0-5.0.6. Vendor-released patches are available (4.0.20, 4.1.11, 5.0.7). With an EPSS score of 0.02% (5th percentile), real-world exploitation risk is minimal despite the moderate CVSS score of 6.5, reflecting the requirement for prior authentication and the low likelihood of widespread abuse.
Technical ContextAI
The vulnerability exploits the CQL (Cassandra Query Language) protocol's password-change mechanism. Apache Cassandra uses CQL as its primary query interface; authenticated users connect with credentials and can issue commands including authentication modifications. The root cause is a resource exhaustion flaw (CWE-400: Uncontrolled Resource Consumption) in which repeated password-change operations trigger expensive internal processes (such as credential validation, replication, or synchronization) without adequate rate limiting or cost controls. An authenticated attacker can repeatedly invoke password-change requests, consuming server resources and degrading latency for all concurrent queries, effectively creating a denial of service condition. The flaw is present in the CQL authentication handling layer across Cassandra's major versions 4.0, 4.1, and 5.0.
RemediationAI
Upgrade to the patched versions: Apache Cassandra 4.0.20, 4.1.11, or 5.0.7, depending on your current version. These releases are available from the Apache Cassandra download page and official repositories. If immediate upgrade is not feasible, implement compensating controls: (1) restrict CQL client connections to trusted networks and enforce strong authentication policies; (2) monitor and rate-limit authentication-related operations (password changes) per authenticated user; (3) configure query timeout and resource limits in cassandra.yaml to prevent individual users from monopolizing server resources. For deployment guidance, consult the vendor advisory at https://lists.apache.org/thread/2tnwjdnss378glxrsmnlzz3k53ftphrc.
Same weakness CWE-400 – Uncontrolled Resource Consumption
View allSame technique Denial Of Service
View allVendor StatusVendor
Share
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-19769
GHSA-qffm-gf3j-6mvg