CVE-2026-27315
Cleartext Password Leak via cqlsh History File in Apache Cassandra
Publication date: 2026-04-07
Last updated on: 2026-04-15
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | cassandra | From 4.0.0 (inc) to 4.0.20 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-532 | The product writes sensitive information to a log file. |
Attack-Flow Graph
AI Powered Q&A
Can you explain this vulnerability to me?
This vulnerability involves the Apache Cassandra command-line tool cqlsh, which saves a history of previously executed commands in the ~/.cassandra/cqlsh_history file in the user's home directory.
The issue is that cqlsh does not redact or mask sensitive information such as passwords when saving these commands. As a result, passwords entered during operations like logging in or creating users are stored in cleartext in this local history file, potentially exposing sensitive credentials to anyone with access to the file.
How can this vulnerability impact me? :
The vulnerability can lead to unauthorized access to sensitive information, specifically passwords, if an attacker or unauthorized user gains access to the ~/.cassandra/cqlsh_history file on the affected system.
Since passwords are stored in cleartext, this could compromise user accounts or database security by exposing credentials that should remain confidential.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking the presence and contents of the ~/.cassandra/cqlsh_history file in the user's home directory. Since cqlsh saves command history including sensitive information in cleartext, inspecting this file for passwords or sensitive commands can reveal if the vulnerability exists.
A simple command to check the file contents on a Unix-like system is:
- cat ~/.cassandra/cqlsh_history
You can also search for common password-related keywords within the history file using:
- grep -i password ~/.cassandra/cqlsh_history
If sensitive information such as passwords is found in this file, it indicates exposure due to this vulnerability.
What immediate steps should I take to mitigate this vulnerability?
The primary immediate mitigation step is to upgrade Apache Cassandra to version 4.0.20 or later, where this issue has been fixed.
Additionally, users should consider removing or securing the ~/.cassandra/cqlsh_history file to prevent unauthorized access to sensitive information stored in cleartext.
Avoid executing commands containing sensitive information in cqlsh until the upgrade is applied.
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability in Apache Cassandra's cqlsh tool causes sensitive information, such as passwords, to be stored in cleartext in a local history file (~/.cassandra/cqlsh_history). This exposure of sensitive credentials could potentially lead to unauthorized access if the file is accessed by malicious actors.
While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the leakage of sensitive information such as passwords in cleartext could be considered a violation of data protection principles required by these regulations, which mandate the protection of personal and sensitive data.
Therefore, organizations using affected versions of Apache Cassandra might face compliance risks related to inadequate protection of sensitive information until they upgrade to a fixed version (4.0.20 or later).