CVE-2025-26511
📋 TL;DR
This vulnerability allows authenticated Cassandra users to bypass Role-Based Access Control (RBAC) and escalate privileges in systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin. Affected systems include those with the plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0 installed on Apache Cassandra 4.x.
💻 Affected Systems
- Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin
⚠️ Manual Verification Required
This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.
Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).
🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.
- Review the CVE details at NVD
- Check vendor security advisories for your specific version
- Test if the vulnerability is exploitable in your environment
- Consider updating to the latest version as a precaution
⚠️ Risk & Real-World Impact
Worst Case
Attackers gain full administrative control over the Cassandra database, allowing data theft, modification, or destruction of all stored data.
Likely Case
Authenticated users escalate privileges to perform unauthorized operations beyond their assigned permissions, potentially accessing sensitive data.
If Mitigated
With proper network segmentation and minimal user privileges, impact is limited to specific database operations rather than full system compromise.
🎯 Exploit Status
Exploitation requires authenticated access to Cassandra. The vulnerability is in the Lucene index plugin's permission validation logic.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Versions after 4.0.16-1.0.0 and 4.1.8-1.0.0
Vendor Advisory: https://github.com/instaclustr/cassandra-lucene-index/security/advisories/GHSA-mrqp-q7vx-v2cx
Restart Required: No
Instructions:
1. Update the Cassandra-Lucene-Index plugin to a patched version (4.0.17-1.0.0+ or 4.1.9-1.0.0+). 2. Download from the official repository. 3. Replace the existing plugin JAR file. 4. No Cassandra restart required as plugins are loaded dynamically.
🔧 Temporary Workarounds
Disable Lucene Index Plugin
allTemporarily disable the vulnerable plugin to prevent exploitation while planning an update.
Remove or rename the cassandra-lucene-index JAR file from the Cassandra plugins directory
🧯 If You Can't Patch
- Implement strict network access controls to limit Cassandra access to trusted users only
- Apply principle of least privilege to all Cassandra user accounts and regularly audit permissions
🔍 How to Verify
Check if Vulnerable:
Check the plugin version by examining the JAR file name in the Cassandra plugins directory or using Cassandra's system tables if the plugin exposes version information.Check Version:
ls -la /path/to/cassandra/plugins/ | grep cassandra-lucene-indexVerify Fix Applied:
Verify the plugin JAR file has been updated to version 4.0.17-1.0.0 or higher for the 4.0.x branch, or 4.1.9-1.0.0 or higher for the 4.1.x branch.📡 Detection & Monitoring
Log Indicators:
- Unusual privilege escalation attempts in Cassandra system logs
- Unexpected operations from users with previously limited permissions
Network Indicators:
- Unusual query patterns or data access from authenticated users
SIEM Query:
source="cassandra.log" AND ("permission denied" OR "access control") AND NOT "authorized"