Primary

Context

Apache Cassandra cqlsh Sensitive Information Leak Vulnerability

Vulnerability

Patched

A sensitive information leak vulnerability has been identified in the cqlsh command-line tool of Apache Cassandra versions 4.0 through 4.0.19. This vulnerability allows access to sensitive data, such as passwords, from the cqlsh command history. The history is stored in the local file ~/.cassandra/cqlsh_history, and cqlsh does not redact sensitive information before saving it. As a result, passwords entered during command execution are permanently recorded in cleartext.

Impact

Exploitation of this vulnerability leads to the unintentional storage of sensitive information, like passwords, in an unprotected format, where it can be accessed by anyone with access to the local file.

Remediation

Users are advised to upgrade to Apache Cassandra version 4.0.20 or later, as this version addresses the vulnerability by redacting sensitive information in the command history. Instructions for upgrading can be found on the Apache Cassandra website.

Added: Apr 7, 2026, 7:43 PM

Updated: Apr 7, 2026, 7:43 PM

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

2.5

exploitability

2.8

remediation

7.7

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Vulnerability Rating

Custom Algorithm

spread

2.6

impact

2.5

exploitability

2.8

remediation

7.7

relevance

5.4

threat

0.0

urgency

2.9

incentive

0.0

Our algorithm analyzes dozens of metrics to generate these 8 key vulnerability categories, which are then combined to calculate the overall risk score.

Apache Cassandra cqlsh Sensitive Information Leak Vulnerability

Vulnerability

Impact

Remediation

Affected Products

Apache Cassandra

CVSS Scores

References

Vulnerability Rating

Vulnerability Rating