GHSA-mrqp-q7vx-v2cx: Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC

1. GitHub Advisory Database
2. GitHub Reviewed
3. CVE-2025-26511

Instaclustr Cassandra-Lucene-Index allows bypass of Cassandra RBAC

Package

maven com.instaclustr:cassandra-lucene-index-plugin (Maven)

Affected versions

>= 4.0-rc1-1.0.0, < 4.0.17-1.0.0

>= 4.1.0-1.0.0, < 4.1.8-1.0.1

Patched versions

4.0.17-1.0.0

4.1.8-1.0.1

Summary / Details
Systems running the Instaclustr fork of Stratio’s Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC to access data and and escalate their privileges.

Affected Versions

• Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0
• versions 4.1.0-1.0.0 through 4.1.8-1.0.0
  when installed into Apache Cassandra version 4.x.

Required Configuration for Exploit
These are the conditions required to enable exploit:

1. Cassandra 4.x
2. Vulnerable version of the Cassandra-Lucene-Index plugin configured for use
3. Data added to tables
4. Lucene index created
5. Cassandra flush has run

Mitigation/Prevention
Mitigation requires dropping all Lucene indexes and stopping use of the plugin. Exploit will be possible any time the required conditions are met.

Solution
Upgrade to a fixed version of the Cassandra-Lucene-Index plugin.
Review users in Cassandra to validate all superuser privileges.

References

• GHSA-mrqp-q7vx-v2cx
• instaclustr/cassandra-lucene-index@94380b1
• https://nvd.nist.gov/vuln/detail/CVE-2025-26511

Published to the GitHub Advisory Database

Feb 13, 2025

Last updated

Feb 13, 2025