CVE-2026-27314: Apache Cassandra is vulnerable to privilege escalation in an mTLS environment using MutualTlsAuthenticator

April 7, 2026 (updated April 8, 2026)

Privilege escalation in Apache Cassandra 5.0 on an mTLS environment using MutualTlsAuthenticator allows a user with only CREATE permission to associate their own certificate identity with an arbitrary role, including a superuser role, and authenticate as that role via ADD IDENTITY.

Users are recommended to upgrade to version 5.0.7+, which fixes this issue.

References

github.com/advisories/GHSA-qxpc-96fq-wwmg
github.com/apache/cassandra
github.com/apache/cassandra/commit/b584a435970e5125e1def5148d943c39569dc7af
github.com/apache/cassandra/releases/tag/cassandra-5.0.7
lists.apache.org/thread/zrng82ddy4rpsmfyk582v6hqxcqrbz7f
nvd.nist.gov/vuln/detail/CVE-2026-27314

Code Behaviors & Features

Detect and mitigate CVE-2026-27314 with GitLab Dependency Scanning

Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →