Severity by source
AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Default cassandra:cassandra credentials remain valid over the network CQL protocol, granting unauthenticated superuser access with full read, write, and destructive capability.
Primary rating from Vendor (vmware).
CVSS VectorVendor: vmware
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
Lifecycle Timeline
3DescriptionCVE.org
Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassandra account in certain scenarios. This leaves the default cassandra:cassandra superuser active as an unintended access path.
Affected versions - Container image: 4.0.x prior to 4.0.20-photon-5-r7; 4.1.x prior to 4.1.11-photon-5-r7; 5.0.x prior to 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3.
AnalysisAI
Authentication bypass in Bitnami Cassandra container images (4.0.x, 4.1.x, 5.0.x lines) allows remote attackers to access the database as superuser using the built-in cassandra:cassandra credentials, even when operators configure a custom administrator via CASSANDRA_USER. The container init script provisions the new superuser but, in certain scenarios, fails to drop the default account, leaving an unintended privileged login path. …
Unlock full vulnerability intelligence
- Risk assessment & exploitation conditions
- Attack chain visualization
- Remediation with exact patch versions
- Threat intelligence from 22 sources
- Personal watchlist & email alerts
Free forever · No credit card required
Attack ChainAIDerived
Hypothetical attack flow derived from CVE metadata
Vulnerability AssessmentAI
| Exploitation | Requires a Bitnami Cassandra container deployed from a vulnerable image tag where the operator set the CASSANDRA_USER environment variable to provision a custom administrator - the bug specifically affects this code path, so images run with the stock 'cassandra' admin or without custom user vars are not in scope of this CVE (though they retain the default account by design). … Additional conditions and limiting factors are described in the full assessment. |
| Risk Assessment | The published CVSS 3.1 vector (AV:N/AC:L/PR:N/UI:N/C:H/I:H/A:H = 9.8) is plausible for any deployment that exposes the CQL native protocol (TCP/9042) to attackers, since the default credentials are universally known and authentication is the only barrier - meaning AC:L and PR:N are well justified. … Full risk analysis with EPSS, KEV, and SSVC signal comparison available after sign-in. |
| Exploit Scenario | An attacker who can reach the CQL port (9042) of a Bitnami-deployed Cassandra cluster - for example via an exposed Kubernetes Service, a misconfigured cloud LoadBalancer, or lateral movement from a compromised application pod - simply runs cqlsh -u cassandra -p cassandra <host> and obtains superuser access despite the operator believing only their custom CASSANDRA_USER account exists. From that session the attacker can read or modify every keyspace, create new superuser roles for persistence, or DROP KEYSPACE for destructive impact. … |
| Remediation | Patch available per vendor advisory: upgrade to Bitnami Cassandra image tags 4.0.20-photon-5-r7, 4.1.11-photon-5-r7, 5.0.8-photon-5-r4, or 5.0.8-debian-12-r3 (or later), per https://github.com/bitnami/containers/security/advisories/GHSA-8q3j-37vg-8fc2. … Detailed patch versions, workarounds, and compensating controls in full report. |
Recommended ActionAI
Within 24 hours: Inventory all systems running Bitnami Cassandra 4.0.x, 4.1.x, or 5.0.x; restrict network access to CQL port 9042 using firewall and security group rules; review database audit logs for connections using cassandra:cassandra credentials. …
Sign in for detailed remediation steps and compensating controls.
Threat intelligence, references, and detailed analysis are available after sign-in.
Same weakness CWE-798 – Use of Hard-coded Credentials
View allSame technique Authentication Bypass
View allShare
External POC / Exploit Code
Leaving vuln.today
EUVD-2026-37932