CVE-2026-47846 | Bitnami Cassandra container images are affected by a retaine… | CVSS 9.8 CRITICAL

Description

Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassandra account in certain scenarios. This leaves the default cassandra:cassandra superuser active as an unintended access path. Affected versions — Container image: 4.0.x prior to 4.0.20-photon-5-r7; 4.1.x prior to 4.1.11-photon-5-r7; 5.0.x prior to 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3.

Metadata

CVE ID: CVE-2026-47846
State: PUBLISHED
Assigner: vmware
Reserved: 2026-05-20 10:00 UTC
Published: 2026-06-18 18:39 UTC
Last updated: 2026-06-18 20:24 UTC
Primary CWE: CWE-798
CWE-798: Use of Hard-coded Credentials
Vendor / Product: Bitnami / bitnami/cassandra
Sources: cve.org · NVD

Severity & Metrics

9.8 CRITICAL CVSS 3.1

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

SSVC — CISA Coordinator

Exploitation: none
Automatable: yes
Tech. Impact: total

Affected products (1)

Vendor	Product	Platform	Versions
Bitnami	bitnami/cassandra	—	4.0.0 < 4.0.20-photon-5-r7, 4.1.0 < 4.1.11-photon-5-r7, 5.0.0 < 5.0.8-photon-5-r4

Weakness (CWE)

CWE	Source	Description
CWE-798	cna	CWE-798: Use of Hard-coded Credentials

CVSS scores (1)

Score	Severity	Version	Source	Vector
9.8	CRITICAL	3.1	cna	CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References (1)

https://github.com/bitnami/containers/security/advisories/GHSA-8q3j-37vg-8fc2