PatchSiren

PatchSiren cyber security CVE debrief

CVE-2026-47846 Bitnami CVE debrief

Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassandra account in certain scenarios. This leaves the default cassandra:cassandra superuser active as an unintended access path.

Vendor
Bitnami
Product
bitnami/cassandra
CVSS
CRITICAL 9.8
CISA KEV
Not listed in stored evidence
Original CVE published
2026-06-18
Original CVE updated
2026-06-22
Advisory published
2026-06-18
Advisory updated
2026-06-22

Who should care

Users of Bitnami Cassandra container images, particularly those using versions 4.0.x prior to 4.0.20-photon-5-r7, 4.1.x prior to 4.1.11-photon-5-r7, and 5.0.x prior to 5.0.8-photon-5-r4 or 5.0.8-debian-12-r3, should assess their exposure and apply necessary patches.

Technical summary

The vulnerability exists in Bitnami Cassandra container images. A custom administrator account configured via the CASSANDRA_USER environment variable leads to the creation of a new superuser account. However, the built-in cassandra account is not dropped in certain scenarios, leaving the default cassandra:cassandra superuser active. Affected versions include container images 4.0.x prior to 4.0.20-photon-5-r7, 4.1.x prior to 4.1.11-photon-5-r7, and 5.0.x prior to 5.0.8-photon-5-r4 or 5.0.8-debian-12-r3.

Defensive priority

High

Recommended defensive actions

  • Inventory and assess Bitnami Cassandra container image usage, particularly versions 4.0.x, 4.1.x, and 5.0.x.
  • Apply patches to update container images to versions 4.0.20-photon-5-r7, 4.1.11-photon-5-r7, or 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3.
  • Implement compensating controls, such as restricting access to Cassandra instances.
  • Monitor for suspicious activity related to Cassandra instances.
  • Verify custom administrator account configurations to ensure proper setup.

Evidence notes

The CVE record was published on 2026-06-18T20:16:13.630Z and was last modified on 2026-06-22T20:23:26.770Z. The NVD entry is currently Awaiting Analysis. The vulnerability has a CVSS score of 9.8 and is classified as CRITICAL.

Official resources

AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T20:16:13.630Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.