Sensitive Information Exposure in Apache Cassandra's Command-Line Tool
CVE-2026-27315

Currently unrated

Key Information:

Vendor: Apache
Status: Apache Cassandra
Vendor: CVE Published:; 7 April 2026

What is CVE-2026-27315?

The command-line interface tool, cqlsh, associated with Apache Cassandra allows for command history retrieval. However, due to a lack of redaction for sensitive data, commands that include sensitive information like passwords are logged in plaintext in the ~/.cassandra/cqlsh_history file. This can lead to unauthorized access to passwords and other confidential data if the history file is accessed by malicious users. To mitigate this risk, it is recommended that users upgrade to Apache Cassandra version 4.0.20 or later, where this issue is addressed.

Affected Version(s)

Apache Cassandra 4.0 <= 4.0.19

References

https://issues.apache.org/jira/browse/CASSANDRA-21180

issue-tracking

https://lists.apache.org/thread/ft77zrk2mzt8qsch4g6jqjj49...

vendor-advisory

Download the Critical Vulnerability Management Cheat Sheet

Timeline

Vulnerability published
Apr 7, 2026
Vulnerability Reserved
Feb 19, 2026

Credit

Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences

CVE-2026-27315 Data

JSON