8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-26511

GHSA ID

GHSA-mrqp-q7vx-v2cx

EPSS Score

0.06158%

CWE

CWE-288

Published

2/13/2025

Updated

2/14/2025

KEV Status

Technology

Java

Concerned about an active attack path?

Talk to our security experts and see Miggo in action.

Miggo Vulnerability Database

→

CVE-2025-26511

CVE-2025-26511:
Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC

Summary / Details Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC to access data and and escalate their privileges.

Affected Versions

Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0
versions 4.1.0-1.0.0 through 4.1.8-1.0.0 when installed into Apache Cassandra version 4.x.

Required Configuration for Exploit These are the conditions required to enable exploit:

Cassandra 4.x
Vulnerable version of the Cassandra-Lucene-Index plugin configured for use
Data added to tables
Lucene index created
Cassandra flush has run

Mitigation/Prevention Mitigation requires dropping all Lucene indexes and stopping use of the plugin. Exploit will be possible any time the required conditions are met.

Solution Upgrade to a fixed version of the Cassandra-Lucene-Index plugin.
Review users in Cassandra to validate all superuser privileges.

(GitHub Advisory)

8.8

CVSS Score

3.1

Basic Information

CVE ID

CVE-2025-26511

GHSA ID

GHSA-mrqp-q7vx-v2cx

EPSS Score

0.06158%

CWE

CWE-288

Published

2/13/2025

Updated

2/14/2025

KEV Status

Technology

Java

Technical Details

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

Package Name	Ecosystem	Vulnerable Versions	First Patched Version
com.instaclustr:cassandra-lucene-index-plugin	maven	>= 4.0-rc1-1.0.0, < 4.0.17-1.0.0	4.0.17-1.0.0
com.instaclustr:cassandra-lucene-index-plugin	maven	>= 4.1.0-1.0.0, < 4.1.8-1.0.1	4.1.8-1.0.1

Vulnerability Intelligence
Miggo AI

Root Cause Analysis

The vulnerability stems from missing authorization checks in query handling. The GitHub commit diff shows the patched version added 'statement.authorize' and 'statement.validate' calls to IndexQueryHandler.scala. In vulnerable versions, these security checks were absent, allowing authenticated users to execute queries without proper RBAC validation. The direct addition of these security-critical method calls in the fix confirms this was the vulnerability vector.

Vulnerable functions

Only Mi**o us*rs **n s** t*is s**tion

WAF Protection Rules

WAF Rule

**Summ*ry / **t*ils** Syst*ms runnin* t** Inst**lustr *ork o* Str*tio's **ss*n*r*-Lu**n*-In**x plu*in v*rsions *.*-r**-*.*.* t*rou** *.*.**-*.*.* *n* *.*.*-*.*.* t*rou** *.*.*-*.*.*, inst*ll** into *p**** **ss*n*r* v*rsion *.x, *r* sus**pti*l* to * v

Reasoning

T** vuln*r**ility st*ms *rom missin* *ut*oriz*tion ****ks in qu*ry **n*lin*. T** *it*u* *ommit *i** s*ows t** p*t**** v*rsion ***** `'st*t*m*nt.*ut*oriz*'` *n* `'st*t*m*nt.v*li**t*'` **lls to `In**xQu*ry**n*l*r.s**l*`. In vuln*r**l* v*rsions, t**s* s

8.8

Basic Information

Concerned about an active attack path?

CVE-2025-26511: Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC

8.8

Basic Information

Technical Details

Vulnerability IntelligenceMiggo AI

Root Cause Analysis

Vulnerable functions

WAF Protection Rules

WAF Rule

Reasoning

CVE-2025-26511:
Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC

Vulnerability Intelligence
Miggo AI