A Bitnami Cassandra container image retains the built‑in cassandra:cassandra superuser even after a custom administrator account is configured via the CASSANDRA_USER environment variable. The default superuser remains active as an unintended access path, giving an attacker administrative privileges. This leads to a complete compromise of the Cassandra instance, enabling data theft, modification, and further lateral movement within the infrastructure. The weakness is a classic credential compromise flaw (CWE‑798).

Bitnami Cassandra container images for all major release streams are affected. Specifically, image families 4.0.x prior to 4.0.20‑photon‑5‑r7, 4.1.x prior to 4.1.11‑photon‑5‑r7, and 5.0.x prior to 5.0.8‑photon‑5‑r4 or 5.0.8‑debian‑12‑r3 are impacted. Any deployment running one of these images will have the default cassandra superuser available unless the image is upgraded.

The CVSS score of 9.8 classifies the vulnerability as critical, indicating that exploitation would likely succeed with minimal effort once the container is running and the default account is present. The EPSS score is not available, so the exact risk of exploitation in the wild is unknown, but the absence of a KEV listing does not mitigate the immediate threat that privileged access can be leveraged within the container. Attackers who can execute commands inside the container or interact with the Cassandra port will be able to connect as cassandra:cassandra and gain full administrative rights.