CVE-2026-47846
CriticalCVSS 9.8Exploitation Probability (EPSS)
Low risk25th percentile — higher than 25% of all known CVEs
Summary
Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassandra account in certain scenarios.
Risk Assessment
Leaving the default cassandra:cassandra superuser active creates an unintended access path to the system, which may lead to unauthorized access and potential security breaches.
Recommendation
It is recommended to update the container images to versions 4.0.20-photon-5-r7, 4.1.11-photon-5-r7, or 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3 to remove the default superuser account.
Original NVD description (English source)
Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassandra account in certain scenarios. This leaves the default cassandra:cassandra superuser active as an unintended access path. Affected versions — Container image: 4.0.x prior to 4.0.20-photon-5-r7; 4.1.x prior to 4.1.11-photon-5-r7; 5.0.x prior to 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3.

