CVE-2026-47847

June 18, 2026, 9:16 p.m.

5.3
Medium

Description

Bitnami MariaDB Galera container images and Helm chart are affected by a hardcoded default credential vulnerability in the Galera replication health-check user. The MARIADB_REPLICATION_USER and MARIADB_REPLICATION_PASSWORD environment variables defaulted to monitor and monitor respectively. This user is granted REPLICATION CLIENT privileges from any host ('%'). The Bitnami Helm chart for MariaDB Galera did not expose parameters to configure this user's credentials, resulting in all chart deployments using this publicly known credential by default. Affected versions — Container image: 10.6.x prior to 10.6.27-photon-5-r0; 10.11.x prior to 10.11.17-photon-5-r1; 11.4.x prior to 11.4.12-photon-5-r0; 11.8.x prior to 11.8.7-photon-5-r1; 12.3.x prior to 12.3.2-photon-5-r0 / 12.3.2-debian-12-r0. Helm chart: prior to 18.3.0.

Product(s) Impacted

Vendor Product Versions
Bitnami
  • Mariadb Galera
  • Mariadb
  • 10.6.<27-photon-5-r0, 10.11.<17-photon-5-r1, 11.4.<12-photon-5-r0, 11.8.<7-photon-5-r1, 12.3.<2-photon-5-r0, 12.3.<2-debian-12-r0
  • helm_chart

Weaknesses

Common security weaknesses mapped to this vulnerability.

CWE-798
Use of Hard-coded Credentials
The product contains hard-coded credentials, such as a password or cryptographic key, which it uses for its own inbound authentication, outbound communication to external components, or encryption of internal data.

*CPE(s)

Affected systems and software identified for this CVE.

Type Vendor Product Version Update Edition Language Software Edition Target Software Target Hardware Other Information
a bitnami mariadb_galera 10.6.<27-photon-5-r0 / / / / / / /
a bitnami mariadb_galera 10.11.<17-photon-5-r1 / / / / / / /
a bitnami mariadb_galera 11.4.<12-photon-5-r0 / / / / / / /
a bitnami mariadb_galera 11.8.<7-photon-5-r1 / / / / / / /
a bitnami mariadb_galera 12.3.<2-photon-5-r0 / / / / / / /
a bitnami mariadb_galera 12.3.<2-debian-12-r0 / / / / / / /
a bitnami mariadb helm_chart / / / / / / /

References

https://github.com/bitnami/containers/security/advisories/GHSA-xcv9-cg8m-3mf2

Tags

CWE-798
[email protected]
2026-06-18
CVE-2026-47847

CVSS Score

5.3 / 10

CVSS Data - 3.1

  • Attack Vector: NETWORK
  • Attack Complexity: LOW
  • Privileges Required: NONE
  • Scope: UNCHANGED
  • Confidentiality Impact: LOW
  • Integrity Impact: NONE
  • Availability Impact: NONE

    • CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N

    View Vector String

Timeline

Published: June 18, 2026, 8:16 p.m.
Last Modified: June 18, 2026, 9:16 p.m.

Status : Received

CVE has been recently published to the CVE List and has been received by the NVD.

More info

Source

[email protected]

*Disclaimer: Some vulnerabilities do not have an associated CPE. To enhance the data, we use AI to infer CPEs based on CVE details. This is an automated process and might not always be accurate.