An input validation flaw in Azure Managed Instance for Apache Cassandra enables an attacker with authorized access to supply crafted network input that the service processes without proper checks. This flaw permits execution of arbitrary code on the instance host, compromising confidentiality, integrity, and availability of the managed database and potentially the underlying virtual machine. The vulnerability falls under CWE-20, Basic Input Validation. Because executing arbitrary code grants full control over the instance, the impact is severe.

The vulnerability affects Microsoft Azure Managed Instance for Apache Cassandra. No specific product versions are listed, so all currently deployed instances that have not been updated with the Microsoft security update are considered affected. Only instances with the Microsoft security update installed are known to be safe.

The CVSS base score of 9.0 indicates a critical severity. The EPSS is not available, but the flaw allows remote code execution over the network by an authorized attacker. Since the attack vector is network-based and requires credentials or authorization, the risk is high for organizations that supply users with direct Cassandra access or expose the service outside a protected network. The vulnerability is not listed in the CISA KEV catalog, so no known active exploits have been reported, but the high severity warrants prompt remediation.