CVE-2026-47846
Received Received - Intake
Default Superuser Retained in Bitnami Cassandra Container Images

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: VMware

Description
Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassandra account in certain scenarios. This leaves the default cassandra:cassandra superuser active as an unintended access path. Affected versions β€” Container image: 4.0.x prior to 4.0.20-photon-5-r7; 4.1.x prior to 4.1.11-photon-5-r7; 5.0.x prior to 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-18
EPSS Evaluated
N/A
NVD
CVE-2026-47846
EUVD
EUVD-2026-37932
Affected Vendors & Products
Showing 4 associated CPEs
Vendor Product Version / Range
bitnami cassandra to 4.0.20-photon-5-r7 (exc)
bitnami cassandra to 4.1.11-photon-5-r7 (exc)
bitnami cassandra to 5.0.8-photon-5-r4 (exc)
bitnami cassandra to 5.0.8-debian-12-r3 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

The Bitnami Cassandra container images have a vulnerability where the default superuser account 'cassandra:cassandra' remains active even after a custom administrator account is configured using the CASSANDRA_USER environment variable.

This happens because the container initialization script sometimes fails to remove the built-in default superuser account, leaving an unintended access path open.

As a result, an attacker can authenticate using the default credentials and gain full superuser privileges on the Cassandra database.

Impact Analysis

This vulnerability allows remote attackers to gain full superuser access to the Cassandra database without any privileges or user interaction.

  • Complete access to keyspaces and tables.
  • Ability to modify cluster topology.
  • High impact on confidentiality, integrity, and availability of the database.

Because of the low attack complexity and no required privileges, this vulnerability poses a critical security risk.

Detection Guidance

This vulnerability can be detected by checking if the default superuser account cassandra:cassandra is still active on your Bitnami Cassandra container, even after configuring a custom administrator account via the CASSANDRA_USER environment variable.

A practical way to verify this is to connect to the Cassandra CQL shell and query the existing superuser accounts.

  • Use the CQL shell command to list users and check if the default 'cassandra' user still exists: `SELECT * FROM system_auth.roles WHERE role = 'cassandra';`
  • Attempt to authenticate using the default credentials (username: cassandra, password: cassandra) to see if access is granted.
Mitigation Strategies

Immediate mitigation steps include upgrading the Bitnami Cassandra container images to the patched versions: 4.0.20-photon-5-r7, 4.1.11-photon-5-r7, or 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3.

If upgrading is not immediately possible, manually drop the default 'cassandra' superuser account using the CQL shell as a temporary workaround.

  • Connect to the CQL shell and execute: `DROP ROLE cassandra;`

Additionally, restrict network access to the Cassandra CQL port (9042) to limit exposure to remote attackers.

Compliance Impact

The vulnerability allows remote attackers to gain full superuser privileges by exploiting the retained default cassandra:cassandra account, which can lead to unauthorized access and modification of sensitive data.

Such unauthorized access and potential data breaches can negatively impact compliance with common standards and regulations like GDPR and HIPAA, which require strict controls over data confidentiality, integrity, and availability.

Failure to properly secure superuser accounts and prevent unintended access paths may result in violations of these regulations, leading to legal and financial consequences.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47846. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart