CVE-2025-26511: Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC
(updated )
Summary / Details Systems running the Instaclustr fork of Stratio’s Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC to access data and and escalate their privileges.
Affected Versions
- Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0
- versions 4.1.0-1.0.0 through 4.1.8-1.0.0 when installed into Apache Cassandra version 4.x.
Required Configuration for Exploit These are the conditions required to enable exploit:
- Cassandra 4.x
- Vulnerable version of the Cassandra-Lucene-Index plugin configured for use
- Data added to tables
- Lucene index created
- Cassandra flush has run
Mitigation/Prevention Mitigation requires dropping all Lucene indexes and stopping use of the plugin. Exploit will be possible any time the required conditions are met.
Solution Upgrade to a fixed version of the Cassandra-Lucene-Index plugin. Review users in Cassandra to validate all superuser privileges.
References
- github.com/advisories/GHSA-mrqp-q7vx-v2cx
- github.com/instaclustr/cassandra-lucene-index
- github.com/instaclustr/cassandra-lucene-index/commit/94380b165bd3e597d3e22e47f8cc674ec7c7bf7f
- github.com/instaclustr/cassandra-lucene-index/security/advisories/GHSA-mrqp-q7vx-v2cx
- nvd.nist.gov/vuln/detail/CVE-2025-26511
Detect and mitigate CVE-2025-26511 with GitLab Dependency Scanning
Secure your software supply chain by verifying that all open source dependencies used in your projects contain no disclosed vulnerabilities. Learn more about Dependency Scanning →