Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass

Description

Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY. Users are recommended to upgrade to version 5.0.7+, which fixes this issue.

Affected Products

Vendor	Product	Versions
the apache software foundation	apache cassandra	maven/org.apache.cassandra:cassandra-all: >= 5.0-alpha1, < 5.0.7

References

https://lists.apache.org/thread/zrng82ddy4rpsmfyk582v6hqxcqrbz7f(vendor-advisory)

Related News (3 articles)

Tier B

BSI Advisories14h ago

[NEU] [hoch] Apache Cassandra: Mehrere Schwachstellen

→ No new info (linked only)

Tier C

oss-security1d ago

CVE-2026-27314: Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass

→ No new info (linked only)

Tier C

VulDB1d ago

CVE-2026-27314 | Apache Cassandra up to 5.0.6 ADD IDENTITY authorization

→ No new info (linked only)

CVSS 3.18.8 HIGH

VectorCVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

CISA KEV❌ No

Actively exploited✅ Yes

Patch available

org.apache.cassandra:cassandra-all@5.0.7

CWECWE-267

PublishedApr 7, 2026

Last enriched13h agov2

Trending Score63

Source articles3

Independent3

Info Completeness10/14

Missing: epss, kev, iocs, mitre_attack

Community Vote

Version History

Last enriched 13h ago

v2Tier B13h ago

Updated severity to HIGH and marked the vulnerability as exploit available and actively exploited.

severityexploitAvailableactivelyExploited

via BSI Advisories

v11d ago

Initial creation

Apache Cassandra: Privilege escalation via ADD IDENTITY authorization bypass

Description

Affected Products

References

Related News (3 articles)

Community Vote

Pin to Dashboard

Verification

Vulnerability Timeline

Version History