CVE-2026-27315 Overview
A sensitive information leak vulnerability exists in Apache Cassandra's command-line tool, cqlsh, affecting version 4.0. The vulnerability allows unauthorized access to sensitive information, including passwords, through the ~/.cassandra/cqlsh_history local file. The command history feature in cqlsh saves previously executed commands to this file without redacting sensitive data. When users execute operations involving passwords—such as logging in or creating users—these credentials are permanently stored in cleartext in the history file on disk.
Critical Impact
Local attackers with file system access can extract cleartext passwords and other sensitive credentials from the cqlsh command history file, potentially compromising Cassandra database authentication.
Affected Products
- Apache Cassandra 4.0 (versions prior to 4.0.20)
- Apache Cassandra cqlsh command-line tool
Discovery Timeline
- April 7, 2026 - CVE-2026-27315 published to NVD
- April 9, 2026 - Last updated in NVD database
Technical Details for CVE-2026-27315
Vulnerability Analysis
This vulnerability is classified under CWE-532 (Insertion of Sensitive Information into Log File). The cqlsh tool provides a command history feature that allows users to recall previously executed commands using the up/down arrow keys. This functionality mirrors standard shell behavior for user convenience. However, the implementation fails to implement proper sanitization of sensitive data before persisting command history to disk.
When a database administrator or user executes commands containing authentication credentials, user creation statements, or password changes, these commands are written verbatim to ~/.cassandra/cqlsh_history. This creates a persistent record of plaintext credentials accessible to any local user with read permissions to the file. The vulnerability requires local access, meaning an attacker would need filesystem-level access to the target system.
Root Cause
The root cause of this vulnerability is the absence of sensitive data redaction in the cqlsh command history storage mechanism. The tool captures and persists all executed commands without filtering or masking credential-related content. Commands such as CREATE USER, ALTER USER, or LOGIN that include password parameters are stored exactly as entered, including plaintext password values.
Attack Vector
Exploitation of this vulnerability requires local access to the system running cqlsh. An attacker with read access to the user's home directory can directly access the ~/.cassandra/cqlsh_history file and extract any previously entered credentials. This attack vector is particularly concerning in shared hosting environments, multi-user systems, or scenarios where local privilege escalation has occurred. The attacker can then use extracted credentials to authenticate to Cassandra databases, potentially gaining access to sensitive data or administrative capabilities.
The attack scenario involves:
- An attacker gains local file system access to a system where Cassandra administrators use cqlsh
- The attacker reads the contents of ~/.cassandra/cqlsh_history
- Passwords and credentials from previous sessions are extracted in plaintext
- The attacker authenticates to Cassandra using the harvested credentials
Detection Methods for CVE-2026-27315
Indicators of Compromise
- Unauthorized read access attempts to ~/.cassandra/cqlsh_history files across user home directories
- Unusual authentication patterns in Cassandra logs using credentials that may have been harvested
- File access audit events showing non-owner reads of cqlsh history files
- Evidence of credential harvesting tools scanning for common history file locations
Detection Strategies
- Implement file integrity monitoring (FIM) on ~/.cassandra/cqlsh_history files to detect unauthorized access
- Configure auditd or equivalent file access logging for sensitive configuration and history files
- Monitor Cassandra authentication logs for login attempts from unexpected sources using legitimate credentials
- Deploy endpoint detection to identify credential harvesting activities targeting history files
Monitoring Recommendations
- Enable audit logging for file access events in directories containing sensitive history files
- Establish baseline access patterns for cqlsh history files and alert on deviations
- Integrate Cassandra authentication logs with SIEM platforms for correlation analysis
- Monitor for privilege escalation attempts that could lead to history file access
How to Mitigate CVE-2026-27315
Immediate Actions Required
- Upgrade Apache Cassandra to version 4.0.20 or later, which contains the fix for this vulnerability
- Review and clear existing ~/.cassandra/cqlsh_history files on all systems where cqlsh has been used
- Rotate any credentials that may have been stored in cqlsh history files
- Restrict file permissions on ~/.cassandra/cqlsh_history to owner-only access (chmod 600)
Patch Information
Apache has released version 4.0.20 which fixes this sensitive information leak issue. Users should upgrade to this version or later to ensure proper handling of sensitive command history. For additional technical details, refer to the Apache JIRA Issue CASSANDRA-21180 and the Apache Mailing List Thread.
Workarounds
- Disable command history in cqlsh by setting HISTFILE to /dev/null before launching the tool
- Use environment variables or secure credential stores instead of entering passwords directly in cqlsh
- Implement a cron job or script to periodically clear or sanitize the cqlsh history file
- Configure restrictive file permissions on the .cassandra directory and its contents
# Secure cqlsh history file permissions and disable history
chmod 600 ~/.cassandra/cqlsh_history
chmod 700 ~/.cassandra
# Disable cqlsh history by setting HISTFILE to /dev/null
export CQLSH_HISTFILE=/dev/null
# Remove existing history containing potential credentials
rm -f ~/.cassandra/cqlsh_history
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
