[<prev] [next>] [day] [month] [year] [list]
Message-ID: <b64d5fc2-2b98-672e-6e3b-bedcc2951a24@apache.org>
Date: Tue, 07 Apr 2026 13:57:41 +0000
From: Michael Semb Wever <mck@...che.org>
To: oss-security@...ts.openwall.com
Subject: CVE-2026-27314: Apache Cassandra: Privilege escalation via ADD
IDENTITY authorization bypass
Severity: low
Affected versions:
- Apache Cassandra (org.apache.cassandra:cassandra-all) 5.0 through 5.0.6
Description:
Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role,
including a superuser role, and authenticate as that role via ADD IDENTITY.
Users are recommended to upgrade to version 5.0.7+, which fixes this issue.
This issue is being tracked as CASSANDRA-21219
Credit:
Sho Odagiri, GMO Cybersecurity by Ierae, Inc. (reporter)
References:
https://cassandra.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-27314
https://issues.apache.org/jira/browse/CASSANDRA-21219
Powered by blists - more mailing lists
Please check out the
Open Source Software Security Wiki, which is counterpart to this
mailing list.
Confused about mailing lists and their use?
Read about mailing lists on Wikipedia
and check out these
guidelines on proper formatting of your messages.
