diff --git a/CHANGELOG.md b/CHANGELOG.md
index 2476bff..499090a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -6,6 +6,9 @@ SPDX-License-Identifier: Apache-2.0
 
 # Changelog
 
+## 7.0.2-SNAPSHOT
+- CLI `change-key-password`: Fix indirect parameter passing for new and old passwords (thanks to @dkg for the report)
+
 ## 7.0.1
 - `decrypt`: Do not throw `NoSignature` exception (exit code 3) if `--verify-with` is provided, but `VERIFICATIONS` is empty.
 
diff --git a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ChangeKeyPasswordCmd.java b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ChangeKeyPasswordCmd.java
index 5a6aa2a..0e12ef8 100644
--- a/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ChangeKeyPasswordCmd.java
+++ b/sop-java-picocli/src/main/java/sop/cli/picocli/commands/ChangeKeyPasswordCmd.java
@@ -39,15 +39,17 @@ public class ChangeKeyPasswordCmd extends AbstractSopCmd {
             changeKeyPassword.noArmor();
         }
 
-        for (String oldKeyPassword : oldKeyPasswords) {
-            changeKeyPassword.oldKeyPassphrase(oldKeyPassword);
-        }
-
-        if (newKeyPassword != null) {
-            changeKeyPassword.newKeyPassphrase(newKeyPassword);
-        }
-
         try {
+            for (String oldKeyPassword : oldKeyPasswords) {
+                String password = stringFromInputStream(getInput(oldKeyPassword));
+                changeKeyPassword.oldKeyPassphrase(password);
+            }
+
+            if (newKeyPassword != null) {
+                String password = stringFromInputStream(getInput(newKeyPassword));
+                changeKeyPassword.newKeyPassphrase(password);
+            }
+
             changeKeyPassword.keys(System.in).writeTo(System.out);
         } catch (IOException e) {
             throw new RuntimeException(e);