Severity by source
AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Primary rating from NVD.
CVSS VectorNVD
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:C/C:H/I:H/A:H
Lifecycle Timeline
2DescriptionCVE.org
Improper access control in Azure Managed Instance for Apache Cassandra allows an authorized attacker to execute code over a network.
Articles & Coverage 1
AnalysisAI
Remote code execution in Azure Managed Instance for Apache Cassandra allows authenticated attackers with low privileges to execute arbitrary code across tenant boundaries. The vulnerability involves improper access control (CWE-284) enabling scope escape with complete compromise of confidentiality, integrity, and availability. Microsoft has released a patch per MSRC advisory. CVSS 9.9 (Critical) reflects network-based attack with low complexity, low privileges required, and changed scope indicating container/tenant escape potential.
Technical ContextAI
Azure Managed Instance for Apache Cassandra is Microsoft's fully managed cloud service for Apache Cassandra databases, providing automated deployment, scaling, and maintenance. The vulnerability stems from CWE-284 (Improper Access Control), a broad weakness class covering insufficient authorization checks, privilege validation failures, or security boundary enforcement gaps. In multi-tenant cloud environments like Azure, access control flaws can enable lateral movement between customer instances or privilege escalation from database user to underlying infrastructure. The Changed Scope (S:C) in the CVSS vector indicates the vulnerability affects resources beyond the vulnerable component's authorization scope, suggesting potential container escape, cross-tenant access, or cloud infrastructure compromise. Tags reference 'Authentication Bypass' alongside 'Apache' and 'Microsoft', indicating the flaw may allow circumventing authentication boundaries in the Cassandra service layer or Azure management plane.
RemediationAI
Apply vendor-released patch per Microsoft Security Response Center advisory at https://msrc.microsoft.com/update-guide/vulnerability/CVE-2026-33109. As a fully managed Azure service, patching is typically performed by Microsoft through service updates rather than customer-initiated upgrades - consult the MSRC advisory for service update timeline and any required customer actions. Until patching is complete, implement compensating controls: restrict network access to Azure Managed Cassandra instances using Azure Network Security Groups or Private Endpoints to trusted IP ranges only, eliminating public internet exposure (mitigates AV:N attack vector but impacts legitimate remote access). Review and minimize privileged user accounts with Cassandra database access, enforcing principle of least privilege and multi-factor authentication for all accounts (reduces PR:L attack surface but requires operational overhead). Audit access logs for unauthorized code execution attempts or unusual cross-tenant activity patterns. Enable Azure Defender for Cloud alerts on Cassandra instances to detect exploitation indicators.
Same weakness CWE-284 – Improper Access Control
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-28448
GHSA-g4xx-6vv3-3x48