PatchSiren cyber security CVE debrief
CVE-2026-47846 Bitnami CVE debrief
Bitnami Cassandra container images are affected by a retained default superuser vulnerability. When a custom administrator account is configured via the CASSANDRA_USER environment variable, the container initialization script creates the new superuser account but fails to drop the built-in cassandra account in certain scenarios. This leaves the default cassandra:cassandra superuser active as an unintended access path.
- Vendor
- Bitnami
- Product
- bitnami/cassandra
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-06-18
- Original CVE updated
- 2026-06-22
- Advisory published
- 2026-06-18
- Advisory updated
- 2026-06-22
Who should care
Users of Bitnami Cassandra container images, particularly those using versions 4.0.x prior to 4.0.20-photon-5-r7, 4.1.x prior to 4.1.11-photon-5-r7, and 5.0.x prior to 5.0.8-photon-5-r4 or 5.0.8-debian-12-r3, should assess their exposure and apply necessary patches.
Technical summary
The vulnerability exists in Bitnami Cassandra container images. A custom administrator account configured via the CASSANDRA_USER environment variable leads to the creation of a new superuser account. However, the built-in cassandra account is not dropped in certain scenarios, leaving the default cassandra:cassandra superuser active. Affected versions include container images 4.0.x prior to 4.0.20-photon-5-r7, 4.1.x prior to 4.1.11-photon-5-r7, and 5.0.x prior to 5.0.8-photon-5-r4 or 5.0.8-debian-12-r3.
Defensive priority
High
Recommended defensive actions
- Inventory and assess Bitnami Cassandra container image usage, particularly versions 4.0.x, 4.1.x, and 5.0.x.
- Apply patches to update container images to versions 4.0.20-photon-5-r7, 4.1.11-photon-5-r7, or 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3.
- Implement compensating controls, such as restricting access to Cassandra instances.
- Monitor for suspicious activity related to Cassandra instances.
- Verify custom administrator account configurations to ensure proper setup.
Evidence notes
The CVE record was published on 2026-06-18T20:16:13.630Z and was last modified on 2026-06-22T20:23:26.770Z. The NVD entry is currently Awaiting Analysis. The vulnerability has a CVSS score of 9.8 and is classified as CRITICAL.
Official resources
-
CVE-2026-47846 CVE record
CVE.org
-
CVE-2026-47846 NVD detail
NVD
-
Source item URL
nvd_modified
- Source reference
AI-assisted PatchSiren debrief based on the supplied source corpus. The CVE record was published on 2026-06-18T20:16:13.630Z and has not been modified since then. The NVD entry is currently Awaiting Analysis.