CVE-2026-27315: Apache Cassandra: cqlsh history sensitive information leak

[Michael Semb Wever <mck () apache org>]

Severity: low 

Affected versions:

- Apache Cassandra (apache-cassandra) 4.0 through 4.0.19

Description:

Sensitive Information Leak in cqlsh in Apache Cassandra 4.0 allows access to sensitive information, like passwords, 
from previously executed cqlsh command via  ~/.cassandra/cqlsh_history local file access.

Users are recommended to upgrade to version 4.0.20, which fixes this issue.

--
Description: Cassandra's command-line tool, cqlsh, provides a command history feature that allows users to recall 
previously executed commands using the up/down arrow keys. These history records are saved in the 
~/.cassandra/cqlsh_history file in the user's home directory.

However, cqlsh does not redact sensitive information when saving command history. This means that if a user executes 
operations involving passwords (such as logging in or creating users) within cqlsh, these passwords are permanently 
stored in cleartext in the history file on the disk.

This issue is being tracked as CASSANDRA-21180 

Credit:

Youlong Chen, Institute of Computing Technology, Chinese Academy of Sciences (reporter)

References:

https://issues.apache.org/jira/browse/CASSANDRA-21180
https://cassandra.apache.org/
https://www.cve.org/CVERecord?id=CVE-2026-27315
https://issues.apache.org/jira/browse/CASSANDRA-21180