CVE-2026-47847
Received Received - Intake
Hard-Coded Credentials in Bitnami MariaDB Galera

Publication date: 2026-06-18

Last updated on: 2026-06-18

Assigner: VMware

Description
Bitnami MariaDB Galera container images and Helm chart are affected by a hardcoded default credential vulnerability in the Galera replication health-check user. The MARIADB_REPLICATION_USER and MARIADB_REPLICATION_PASSWORD environment variables defaulted to monitor and monitor respectively. This user is granted REPLICATION CLIENT privileges from any host ('%'). The Bitnami Helm chart for MariaDB Galera did not expose parameters to configure this user's credentials, resulting in all chart deployments using this publicly known credential by default. Affected versions β€” Container image: 10.6.x prior to 10.6.27-photon-5-r0; 10.11.x prior to 10.11.17-photon-5-r1; 11.4.x prior to 11.4.12-photon-5-r0; 11.8.x prior to 11.8.7-photon-5-r1; 12.3.x prior to 12.3.2-photon-5-r0 / 12.3.2-debian-12-r0. Helm chart: prior to 18.3.0.
CVSS Scores
EPSS Scores
Probability:
Percentile:
Meta Information
Published
2026-06-18
Last Modified
2026-06-18
Generated
2026-06-19
AI Q&A
2026-06-19
EPSS Evaluated
N/A
NVD
CVE-2026-47847
EUVD
EUVD-2026-37931
Affected Vendors & Products
Showing 6 associated CPEs
Vendor Product Version / Range
bitnami mariadb_galera to 10.6.27-photon-5-r0 (exc)
bitnami mariadb_galera to 10.11.17-photon-5-r1 (exc)
bitnami mariadb_galera to 11.4.12-photon-5-r0 (exc)
bitnami mariadb_galera to 11.8.7-photon-5-r1 (exc)
bitnami mariadb_galera to 12.3.2-debian-12-r0 (exc)
bitnami mariadb_galera to 18.3.0 (exc)
Helpful Resources
Exploitability
CWE
CWE Icon
KEV
KEV Icon
CWE ID Description
CWE-798 The product contains hard-coded credentials, such as a password or cryptographic key.
Attack-Flow Graph
AI Quick Actions
Instant insights powered by AI
Executive Summary

CVE-2026-47847 is a moderate severity vulnerability in Bitnami MariaDB Galera container images and Helm charts caused by hardcoded default credentials for the Galera replication health-check user.

The username and password for this user are both set to "monitor" by default, and this user has REPLICATION CLIENT privileges from any host, allowing remote attackers with network access to the MariaDB port to authenticate using these known credentials.

Because the Bitnami Helm chart did not expose parameters to configure these credentials, all deployments used this publicly known credential by default.

Impact Analysis

This vulnerability allows remote attackers with network access to the MariaDB port (default 3306) to authenticate as the replication health-check user using default credentials.

The attacker can then query replication topology and status information, potentially exposing cluster topology and replication configuration.

The impact is considered moderate with a CVSS score of 5.3, and it does not allow modification or deletion of data, but it can leak some information about the database replication setup.

Detection Guidance

This vulnerability can be detected by checking if the MariaDB Galera deployment is using the default replication health-check user credentials, which are username 'monitor' and password 'monitor'.

You can attempt to connect to the MariaDB service on port 3306 using these credentials to verify if the default user is active and accessible.

For example, you can use the following command to test authentication and query replication status:

  • mysql -h <mariadb_host> -P 3306 -u monitor -pmonitor -e "SHOW STATUS LIKE 'wsrep_%';"

If the command succeeds, it indicates the default credentials are still in use and the system is vulnerable.

Mitigation Strategies

Immediate mitigation steps include upgrading the affected Bitnami MariaDB Galera container images or Helm charts to the fixed versions.

  • Upgrade container images to versions 10.6.27-photon-5-r0 or later, 10.11.17-photon-5-r1 or later, 11.4.12-photon-5-r0 or later, 11.8.7-photon-5-r1 or later, and 12.3.2-photon-5-r0 / 12.3.2-debian-12-r0 or later.
  • Upgrade Helm charts to version 18.3.0 or later.

Additionally, set strong, unique passwords for the replication user instead of the default 'monitor' password.

Restrict network access to the MariaDB port (default 3306) to trusted hosts only.

Rotate existing replication user passwords to prevent unauthorized access.

Compliance Impact

The vulnerability involves hardcoded default credentials that allow remote attackers to authenticate and query replication topology and status information. This could lead to unauthorized access to certain database information.

Such unauthorized access may impact compliance with standards and regulations like GDPR and HIPAA, which require protection of sensitive data and control over access to systems. Exposure of replication topology and status information could be considered a confidentiality risk under these regulations.

Mitigation steps such as upgrading to fixed versions, setting strong unique passwords, restricting network access, and rotating passwords are necessary to reduce the risk and help maintain compliance.

Chat Assistant
Ask questions about this CVE
Hi! I’m here to help you understand CVE-2026-47847. Ask me anything about the vulnerability, its impact, or mitigation strategies.
0/70
EPSS Chart