#VU125098 Cleartext storage of sensitive information in Cassandra - CVE-2026-27315
Published: April 7, 2026
Vulnerability identifier: #VU125098
Vulnerability risk: Low
CVSSv4.0: CVSS:4.0/AV:L/AC:L/AT:N/PR:L/UI:N/VC:H/VI:N/VA:N/SC:N/SI:N/SA:N/E:U/U:Clear
CVE-ID: CVE-2026-27315
CWE-ID: CWE-312
Exploitation vector: Local access
Exploit availability:
No public exploit available
Vulnerable software:
Cassandra
Cassandra
Software vendor:
Apache Foundation
Apache Foundation
Description
The vulnerability allows a local user to disclose sensitive information.
The vulnerability exists due to improper handling of sensitive information in the cqlsh history file when saving previously executed cqlsh commands. A local user can read the local ~/.cassandra/cqlsh_history file to disclose sensitive information.
Passwords used in commands such as login or user creation may be stored in cleartext in the history file.
Remediation
Install security update from vendor's website.