GHSA-qxpc-96fq-wwmg

Suggest an improvement
Source
https://github.com/advisories/GHSA-qxpc-96fq-wwmg
Import Source
https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qxpc-96fq-wwmg/GHSA-qxpc-96fq-wwmg.json
JSON Data
https://api.osv.dev/v1/vulns/GHSA-qxpc-96fq-wwmg
Aliases
  • CVE-2026-27314
Published
2026-04-07T18:31:37Z
Modified
2026-04-08T19:37:19.755202Z
Severity
  • 8.8 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H CVSS Calculator
Summary
Apache Cassandra is vulnerable to privilege escalation in an mTLS environment using MutualTlsAuthenticator
Details

Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY.

Users are recommended to upgrade to version 5.0.7+, which fixes this issue.

Database specific 
{
    "nvd_published_at": "2026-04-07T17:16:27Z",
    "severity": "HIGH",
    "github_reviewed": true,
    "cwe_ids": [
        "CWE-267"
    ],
    "github_reviewed_at": "2026-04-08T19:22:39Z"
}
References

Affected packages

Maven / org.apache.cassandra:cassandra-all

Package

Name
org.apache.cassandra:cassandra-all
View open source insights on deps.dev
Purl
pkg:maven/org.apache.cassandra/cassandra-all

Affected ranges

Type
ECOSYSTEM
Events
Introduced
5.0-alpha1
Fixed
5.0.7

Affected versions

5.*
5.0-alpha1
5.0-alpha2
5.0-beta1
5.0-rc1
5.0-rc2
5.0.0
5.0.1
5.0.2
5.0.3
5.0.4
5.0.5
5.0.6

Database specific

source 
"https://github.com/github/advisory-database/blob/main/advisories/github-reviewed/2026/04/GHSA-qxpc-96fq-wwmg/GHSA-qxpc-96fq-wwmg.json"