CVE-2025-26511

Name of the Vulnerable Software and Affected Versions: Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.1.0-1.0.0 through 4.1.8-1.0.0

Description: The vulnerability allows authenticated Cassandra users to remotely bypass Role-Based Access Control (RBAC) and escalate their privileges. This can be exploited when the required conditions are met, including the use of Cassandra 4.x, a vulnerable version of the Cassandra-Lucene-Index plugin, data added to tables, a Lucene index created, and Cassandra flush has run.

Recommendations: For versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0, upgrade to a fixed version of the Cassandra-Lucene-Index plugin. For versions 4.1.0-1.0.0 through 4.1.8-1.0.0, upgrade to a fixed version of the Cassandra-Lucene-Index plugin. As a temporary workaround, consider dropping all Lucene indexes and stopping the use of the plugin to prevent exploitation. Review users in Cassandra to validate all superuser privileges.