Vulnerability Description
Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file access. Users are recommended to upgrade to version 4.0.20, which fixes this issue. -- Description: Cassandra's command-line tool, cqlsh, provides a command history feature that allows users to recall previously executed commands using the up/down arrow keys. These history records are saved in the ~/.cassandra/cqlsh_history file in the user's home directory. However, cqlsh does not redact sensitive information when saving command history. This means that if a user executes operations involving passwords (such as logging in or creating users) within cqlsh, these passwords are permanently stored in cleartext in the history file on the disk.
CVSS Score
MEDIUM
Affected Products
| Vendor | Product | Versions |
|---|---|---|
| Apache | Cassandra | >= 4.0.0, < 4.0.20 |
Related Weaknesses (CWE)
References
- https://issues.apache.org/jira/browse/CASSANDRA-21180PatchVendor AdvisoryIssue Tracking
- https://lists.apache.org/thread/ft77zrk2mzt8qsch4g6jqjj4901d22k3Mailing ListVendor Advisory
- http://www.openwall.com/lists/oss-security/2026/04/07/8Mailing ListThird Party Advisory
FAQ
What is CVE-2026-27315?
CVE-2026-27315 is a vulnerability with a CVSS score of 5.5 (MEDIUM). Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file ac...
How severe is CVE-2026-27315?
CVE-2026-27315 has been rated MEDIUM with a CVSS base score of 5.5/10. Review the CVSS metrics above for detailed severity breakdown.
Is there a patch for CVE-2026-27315?
Check the references section above for vendor advisories and patch information. Affected products include: Apache Cassandra.