Skip to main content

Bitnami Cassandra CVE-2026-47846

| EUVDEUVD-2026-37932 CRITICAL
Use of Hard-coded Credentials (CWE-798)
2026-06-18 vmware
9.8
CVSS 3.1 · Vendor: vmware
Share

Severity by source

Vendor (vmware) PRIMARY
9.8 CRITICAL
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
vuln.today AI
9.8 CRITICAL

Default cassandra:cassandra credentials remain valid over the network CQL protocol, granting unauthenticated superuser access with full read, write, and destructive capability.

3.1 AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
4.0 AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N

Primary rating from Vendor (vmware).

CVSS VectorVendor: vmware

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Confidentiality
High
Integrity
High
Availability
High

Lifecycle Timeline

3
Patch available
Jun 18, 2026 - 21:02 EUVD
Analysis Generated
Jun 18, 2026 - 20:01 vuln.today
CVE Published
Jun 18, 2026 - 18:39 cve.org
CRITICAL 9.8

DescriptionCVE.org

Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassandra account in certain scenarios. This leaves the default cassandra:cassandra superuser active as an unintended access path.

Affected versions - Container image: 4.0.x prior to 4.0.20-photon-5-r7; 4.1.x prior to 4.1.11-photon-5-r7; 5.0.x prior to 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3.

AnalysisAI

Authentication bypass in Bitnami Cassandra container images (4.0.x, 4.1.x, 5.0.x lines) allows remote attackers to access the database as superuser using the built-in cassandra:cassandra credentials, even when operators configure a custom administrator via CASSANDRA_USER. The container init script provisions the new superuser but, in certain scenarios, fails to drop the default account, leaving an unintended privileged login path. …

Unlock full vulnerability intelligence

  • Risk assessment & exploitation conditions
  • Attack chain visualization
  • Remediation with exact patch versions
  • Threat intelligence from 22 sources
  • Personal watchlist & email alerts

Free forever · No credit card required

Attack ChainAIDerived

Hypothetical attack flow derived from CVE metadata

Access
Discover exposed CQL port 9042
Delivery
Attempt default cassandra:cassandra login
Exploit
Authenticate as retained superuser
Execution
Enumerate keyspaces and roles
Persist
Create persistent backdoor role
Impact
Exfiltrate or destroy data

Vulnerability AssessmentAI

Exploitation Requires a Bitnami Cassandra container deployed from a vulnerable image tag where the operator set the CASSANDRA_USER environment variable to provision a custom administrator - the bug specifically affects this code path, so images run with the stock 'cassandra' admin or without custom user vars are not in scope of this CVE (though they retain the default account by design). … Additional conditions and limiting factors are described in the full assessment.
Risk Assessment The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H = 9.8) is plausible for any deployment that exposes the CQL native protocol (TCP/9042) to attackers, since the default credentials are universally known and authentication is the only barrier - meaning AC:L and PR:N are well justified. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in.
Exploit Scenario An attacker who can reach the CQL port (9042) of a Bitnami-deployed Cassandra cluster - for example via an exposed Kubernetes Service, a misconfigured cloud LoadBalancer, or lateral movement from a compromised application pod - simply runs cqlsh -u cassandra -p cassandra <host> and obtains superuser access despite the operator believing only their custom CASSANDRA_USER account exists. From that session the attacker can read or modify every keyspace, create new superuser roles for persistence, or DROP KEYSPACE for destructive impact. …
Remediation Patch available per vendor advisory: upgrade to Bitnami Cassandra image tags 4.0.20-photon-5-r7, 4.1.11-photon-5-r7, 5.0.8-photon-5-r4, or 5.0.8-debian-12-r3 (or later), per https://github.com/bitnami/containers/security/advisories/GHSA-8q3j-37vg-8fc2. … Detailed patch versions, workarounds, and compensating controls in full report.

Recommended ActionAI

Within 24 hours: Inventory all systems running Bitnami Cassandra 4.0.x, 4.1.x, or 5.0.x; restrict network access to CQL port 9042 using firewall and security group rules; review database audit logs for connections using cassandra:cassandra credentials. …

Sign in for detailed remediation steps and compensating controls.

Threat intelligence, references, and detailed analysis are available after sign-in.

Share

CVE-2026-47846 vulnerability details – vuln.today

This site uses cookies essential for authentication and security. No tracking or analytics cookies are used. Privacy Policy