CVE-2026-27315
Received Received - Intake
Cleartext Password Leak via cqlsh History File in Apache Cassandra

Publication date: 2026-04-07

Last updated on: 2026-04-15

Assigner: Apache Software Foundation

Description
Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via  ~/.cassandra/cqlsh_history local file access. Users are recommended to upgrade to version 4.0.20, which fixes this issue. -- Description: Cassandra's command-line tool, cqlsh, provides a command history feature that allows users to recall previously executed commands using the up/down arrow keys. These history records are saved in the ~/.cassandra/cqlsh_history file in the user's home directory. However, cqlsh does not redact sensitive information when saving command history. This means that if a user executes operations involving passwords (such as logging in or creating users) within cqlsh, these passwords are permanently stored in cleartext in the history file on the disk.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-04-07
Last Modified
2026-04-15
Generated
2026-06-16
AI Q&A
2026-04-07
EPSS Evaluated
2026-06-15
NVD
CVE-2026-27315
EUVD
EUVD-2026-19763
Affected Vendors & Products
Showing 1 associated CPE
Vendor Product Version / Range
apache cassandra From 4.0.0 (inc) to 4.0.20 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-532 The product writes sensitive information to a log file.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

This vulnerability involves the Apache Cassandra command-line tool cqlsh, which saves a history of previously executed commands in the ~/.cassandra/cqlsh_history file in the user's home directory.

The issue is that cqlsh does not redact or mask sensitive information such as passwords when saving these commands. As a result, passwords entered during operations like logging in or creating users are stored in cleartext in this local history file, potentially exposing sensitive credentials to anyone with access to the file.

Impact Analysis

The vulnerability can lead to unauthorized access to sensitive information, specifically passwords, if an attacker or unauthorized user gains access to the ~/.cassandra/cqlsh_history file on the affected system.

Since passwords are stored in cleartext, this could compromise user accounts or database security by exposing credentials that should remain confidential.

Detection Guidance

This vulnerability can be detected by checking the presence and contents of the ~/.cassandra/cqlsh_history file in the user's home directory. Since cqlsh saves command history including sensitive information in cleartext, inspecting this file for passwords or sensitive commands can reveal if the vulnerability exists.

A simple command to check the file contents on a Unix-like system is:

  • cat ~/.cassandra/cqlsh_history

You can also search for common password-related keywords within the history file using:

  • grep -i password ~/.cassandra/cqlsh_history

If sensitive information such as passwords is found in this file, it indicates exposure due to this vulnerability.

Mitigation Strategies

The primary immediate mitigation step is to upgrade Apache Cassandra to version 4.0.20 or later, where this issue has been fixed.

Additionally, users should consider removing or securing the ~/.cassandra/cqlsh_history file to prevent unauthorized access to sensitive information stored in cleartext.

Avoid executing commands containing sensitive information in cqlsh until the upgrade is applied.

Compliance Impact

The vulnerability in Apache Cassandra's cqlsh tool causes sensitive information, such as passwords, to be stored in cleartext in a local history file (~/.cassandra/cqlsh_history). This exposure of sensitive credentials could potentially lead to unauthorized access if the file is accessed by malicious actors.

While the provided information does not explicitly mention compliance with standards like GDPR or HIPAA, the leakage of sensitive information such as passwords in cleartext could be considered a violation of data protection principles required by these regulations, which mandate the protection of personal and sensitive data.

Therefore, organizations using affected versions of Apache Cassandra might face compliance risks related to inadequate protection of sensitive information until they upgrade to a fixed version (4.0.20 or later).

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-27315. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart