Miggo Logo

CVE-2025-26467: Apache Cassandra: User with MODIFY permission on ALL KEYSPACES can escalate privileges to superuser via unsafe actions (4.0.16 only)

8.8

CVSS Score
3.1

Basic Information

EPSS Score
-
Published
8/25/2025
Updated
8/25/2025
KEV Status
No
Technology
TechnologyJava

Technical Details

CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H
Package NameEcosystemVulnerable VersionsFirst Patched Version
org.apache.cassandra:cassandra-allmaven= 4.0.164.0.17

Vulnerability Intelligence
Miggo AIMiggo AI

Miggo AIRoot Cause Analysis

The vulnerability allows a user with MODIFY permission on ALL KEYSPACES to escalate their privileges to a superuser. This is because Apache Cassandra version 4.0.16 incorrectly applied permissions granted on ALL KEYSPACES to system keyspaces, which contain sensitive data and configuration.

The analysis of the patch between version 4.0.16 and the fixed version 4.0.17 reveals two key changes that address this issue:

  1. ClientState.ensurePermission Modification: The core of the vulnerability lies in this function, which is central to all authorization checks. The patch introduces logic to specifically check if a resource belongs to a system keyspace. If it does, it ignores any permissions granted on ALL KEYSPACES and requires an explicit permission grant on the system keyspace itself. This is the primary fix that prevents the privilege escalation.

  2. GrantPermissionsStatement Validation: As a defense-in-depth measure, the patch also introduces validation to the GRANT statement execution path. A new validate method prevents the granting of a denylist of powerful permissions (e.g., CREATE, DROP, MODIFY) directly on system keyspaces. This hardens the system against misconfiguration.

Therefore, during exploitation, two functions would be involved. First, GrantPermissionsStatement.execute would be used (by an admin) to set up the vulnerable state (GRANT MODIFY ON ALL KEYSPACES). Second, and more critically, ClientState.ensurePermission would be on the runtime stack when the non-privileged user performs a malicious action on a system table, as this function would incorrectly authorize the action in the vulnerable version.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

Privil*** ***in** Wit* Uns*** **tions vuln*r**ility in *p**** **ss*n*r*. *n us*r wit* MO*I*Y p*rmission ON *LL K*YSP***S **n *s**l*t* privil***s to sup*rus*r wit*in * t*r**t** **ss*n*r* *lust*r vi* uns*** **tions to * syst*m r*sour**. Op*r*tors *r*nt

Reasoning

T** vuln*r**ility *llows * us*r wit* `MO*I*Y` p*rmission on `*LL K*YSP***S` to *s**l*t* t**ir privil***s to * sup*rus*r. T*is is ****us* *p**** **ss*n*r* v*rsion *.*.** in*orr**tly *ppli** p*rmissions *r*nt** on `*LL K*YSP***S` to syst*m k*ysp***s, w