CVE-2026-47846

Name of the Vulnerable Software and Affected Versions Bitnami Cassandra container images versions 4.0.x prior to 4.0.20-photon-5-r7 Bitnami Cassandra container images versions 4.1.x prior to 4.1.11-photon-5-r7 Bitnami Cassandra container images versions 5.0.x prior to 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3

Description Container initialization scripts fail to remove the built-in cassandra account when a custom administrator account is configured using the CASSANDRA USER environment variable. This allows a remote attacker who knows the default credentials to authenticate to the cluster as a full superuser, bypassing the intended account replacement.

Recommendations Update versions 4.0.x to 4.0.20-photon-5-r7 or later. Update versions 4.1.x to 4.1.11-photon-5-r7 or later. Update versions 5.0.x to 5.0.8-photon-5-r4 / 5.0.8-debian-12-r3 or later.