CVE-2026-27314
Received Received - Intake
Privilege Escalation in Apache Cassandra 5.0 mTLS Authentication

Publication date: 2026-04-07

Last updated on: 2026-04-15

Assigner: Apache Software Foundation

Description
Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY. Users are recommended to upgrade to version 5.0.7+, which fixes this issue.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27314
EUVD
EUVD-2026-19761
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache cassandra From 5.0.0 (inc) to 5.0.7 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-267 A particular privilege, role, capability, or right can be used to perform unsafe actions that were not intended, even when it is assigned to the correct entity.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability is a privilege escalation issue in Apache Cassandra 5.0 when used in an mTLS environment with MutualTlsAuthenticator. It allows a user who only has CREATE permission to associate their own certificate identity with any arbitrary role, including a superuser role, by using the ADD IDENTITY function. This means the user can effectively authenticate as a higher-privileged role than they should be allowed.

Impact Analysis

The impact of this vulnerability is that an attacker or unauthorized user with limited permissions can escalate their privileges to gain superuser access. This can lead to unauthorized access to sensitive data, modification or deletion of data, and potentially full control over the Cassandra database environment.

Mitigation Strategies

Users are recommended to upgrade Apache Cassandra to version 5.0.7 or later, which fixes this privilege escalation issue.

Compliance Impact

The provided information does not specify how this privilege escalation vulnerability in Apache Cassandra affects compliance with common standards and regulations such as GDPR or HIPAA.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27314. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart