CVE-2026-27314 | THREATINT

Description

Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY. Users are recommended to upgrade to version 5.0.7+, which fixes this issue.

PUBLISHED Reserved 2026-02-19 | Published 2026-04-07 | Updated 2026-04-08 | Assigner apache

Problem types

CWE-267 Privilege Defined With Unsafe Actions

Product status

Default status

unaffected

5.0 (semver)

affected

Credits

Sho Odagiri, GMO Cybersecurity by Ierae, Inc. reporter

References

www.openwall.com/lists/oss-security/2026/04/07/7

lists.apache.org/thread/zrng82ddy4rpsmfyk582v6hqxcqrbz7f vendor-advisory

cve.org (CVE-2026-27314)

nvd.nist.gov (CVE-2026-27314)

Download JSON