#VU125100 Improper access control in Cassandra - CVE-2026-27314
Published: April 7, 2026
Vulnerability identifier: #VU125100
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:N/AC:L/AT:N/PR:L/UI:N/VC:N/VI:H/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-27314
CWE-ID: CWE-284
Exploitation vector: Remote access
Exploit availability:
No public exploit available
Vulnerable software:
Cassandra
Cassandra
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a remote user to escalate privileges.
The vulnerability exists due to improper access control in ADD IDENTITY authorization handling when associating a certificate identity with an arbitrary role in an mTLS environment using MutualTlsAuthenticator. A remote user can associate their own certificate identity with an arbitrary role to escalate privileges.
Exploitation requires an mTLS environment using MutualTlsAuthenticator and CREATE permission.
Remediation
Install security update from vendor's website.