CVE-2026-27315
Description
Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, from previously executed cqlsh command via ~/.cassandra/cqlsh_history local file access.
Users are recommended to upgrade to version 4.0.20, which fixes this issue.
-- Description: Cassandra's command-line tool, cqlsh, provides a command history feature that allows users to recall previously executed commands using the up/down arrow keys. These history records are saved in the ~/.cassandra/cqlsh_history file in the user's home directory.
However, cqlsh does not redact sensitive information when saving command history. This means that if a user executes operations involving passwords (such as logging in or creating users) within cqlsh, these passwords are permanently stored in cleartext in the history file on the disk.
Affected packages
Versions sourced from the GitHub Security Advisory.
| Package | Affected versions | Patched versions |
|---|---|---|
org.apache.cassandra:cassandra-allMaven | >= 4.0, < 4.0.20 | 4.0.20 |
Affected products
1Patches
0No patches discovered yet.
Vulnerability mechanics
AI mechanics synthesis has not run for this CVE yet.
References
5- issues.apache.org/jira/browse/CASSANDRA-21180nvdPatchVendor AdvisoryIssue TrackingWEB
- www.openwall.com/lists/oss-security/2026/04/07/8nvdMailing ListThird Party AdvisoryWEB
- github.com/advisories/GHSA-fh34-c629-p8xjghsaADVISORY
- lists.apache.org/thread/ft77zrk2mzt8qsch4g6jqjj4901d22k3nvdMailing ListVendor AdvisoryWEB
- nvd.nist.gov/vuln/detail/CVE-2026-27315ghsaADVISORY
News mentions
3- Patch Tuesday - May 2026Rapid7 Blog · May 13, 2026
- Microsoft Patch Tuesday for May 2026 — Snort rules and prominent vulnerabilitiesCisco Talos Intelligence · May 12, 2026
- Microsoft May 2026 Patch Tuesday, (Tue, May 12th)SANS Internet Storm Center · May 12, 2026