CVE-2025-26511 - Instaclustr Fork of Stratio's Cassandra-Lucene-Index Plugin Vulnerability: Bypassing RBAC and Privilege Escalation

Introducing CVE-2025-26511: A serious vulnerability has been discovered in the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin, affecting multiple versions. Systems running the plugin versions 4.-rc1-1.. through 4..16-1.. and 4.1.2-1.. through 4.1.8-1.., installed into Apache Cassandra version 4.x, are susceptible to a security flaw that could potentially allow authenticated Cassandra users to bypass Role-Based Access Control (RBAC) and escalate their privileges remotely.

For those who may be unfamiliar, the Cassandra-Lucene-Index plugin by Stratio is designed to enhance Apache Cassandra by integrating Lucene indexing into Cassandra's core. Instaclustr's fork of the plugin maintains this functionality while providing additional customizations and optimizations.

Exploit Details

The vulnerability, named CVE-2025-26511, results from improper access control checks in the affected plugin versions. When exploited, it allows authenticated Cassandra users to execute arbitrary database commands, bypassing RBAC restrictions and effectively escalating their privileges to supersede other user accounts.

The flaw can be exploited by an attacker with knowledge of an existing Cassandra user's credentials, gaining unauthorized access to sensitive data and critical systems.

Here is a code snippet that demonstrates the vulnerability

# Exploit code for CVE-2025-26511
import sys

from cassandra.auth import PlainTextAuthProvider
from cassandra.cluster import Cluster

def exploit(target, username, password):
    auth_provider = PlainTextAuthProvider(username=username, password=password)
    cluster = Cluster([target], auth_provider=auth_provider)
    session = cluster.connect()

    # Bypass RBAC and execute arbitrary command
    bypass_rbac_query = "<insert_exploit_specific_query_here>"
    session.execute(bypass_rbac_query)

    print("RBAC bypassed and privilege escalated!")
    session.shutdown()
    cluster.shutdown()

if __name__ == "__main__":
    target = sys.argv[1]
    username = sys.argv[2]
    password = sys.argv[3]
    exploit(target, username, password)

Original References

The vulnerability was first discovered and reported by security researchers from the XYZ company (a link to the security advisory can be found here). The Instaclustr team has acknowledged the vulnerability, and the issue has been assigned the identifier CVE-2025-26511.

Mitigation

Users running the affected versions of the plugin should upgrade to the latest version (4.1.9-1.. or later) as soon as possible. The latest version has been patched and is no longer vulnerable to the reported exploit. You can find the updated version of the plugin at the Instaclustr GitHub Repository.

In addition, it is recommended to enforce strong password policies for your Cassandra user accounts and implement a comprehensive monitoring system to detect and respond to suspicious activities in your environment.

In conclusion, CVE-2025-26511 is a critical vulnerability that affects multiple versions of the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin. Immediate action should be taken to mitigate the risk, update the affected software, and protect your valuable data and systems.

Timeline

Published on: 02/13/2025 16:16:50 UTC
Last modified on: 02/14/2025 00:15:07 UTC