Security Advisory – Cassandra Lucene Index – CVE-2025-26511
NetApp Instaclustr is aware of a high-severity security vulnerability, CVE-2025-26511. The vulnerability affects systems running the Instaclustr fork of Stratio’s Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.0-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x. The vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC to access data and escalate their privileges.
In the Instaclustr environment, customers running Cassandra up to version 4.1.3 with the Apache Lucene Add-On are affected.
Impact Analysis
NetApp performed an investigation into this vulnerability and its potential impact on our Managed Platform. We have assessed its severity rating as 8.0, HIGH on the CVSS v3.1 scale in the Instaclustr environment. As such, CVE-2025-26511 is considered an urgent priority for Instaclustr to fix.
The findings are as follows:
- Primary Risk: Authenticated Cassandra users can remotely bypass Role-Based Access Control (RBAC) and escalate their privileges.
- Exploiting this vulnerability requires the following conditions:
- Using Apache Cassandra version 4.x
- A vulnerable version of the Cassandra-Lucene-Index plugin
- Data added to tables
- Lucene index created
- Cassandra flush run
- The risk of this vulnerability is reduced from the project’s assessment as Instaclustr’s standard security controls including network and access control mechanisms for all customer clusters. For more details, read the Instaclustr Security Features.
We have released Cassandra versions 4.0.17 and 4.1.8 with the fixed version of the Cassandra-Lucene-Index plugin.
Mitigation Approaches
Temporary mitigation requires dropping all Lucene indexes and stopping use of the plugin. Exploit will be possible any time the required conditions are met.
To resolve the issue, NetApp recommends the following actions for our customers:
Managed Customers Using the Apache Lucene Add-On
- New versions of the Cassandra Lucene Index, 4.1.8-1.0.1 and 4.0.17-1.0.0, have been released to address the vulnerability. These patches will be available in our released versions of Apache Cassandra 4.0.17 and 4.1.8 which will shortly be available on the Instaclustr platform.
- Our support team will reach out to upgrade your Cassandra clusters to the latest patch version, depending on whether you are using Cassandra 4.0 or Cassandra 4.1. Following the Cassandra upgrade, we will also upgrade your Lucene add-on to version 4.1.8-1.0.1 or 4.0.17-1.0.0, which contains the fix for this issue.
Please note that this add-on has been closed to new customers since July 2024 and is available only to existing customers. See the announcement here.
Enterprise Support Customers
- Please upgrade your Cassandra cluster to Cassandra 4.0.17 or 4.1.8, depending on the major version you are using.
- Upgrade your Cassandra-Lucene-Index plugin to version – 4.0.17-1.0.0 or 4.1.8-1.0.1, or later based on the major version of Cassandra you are currently using.
All Customers
After patching, any customers who may have been affected should:
- Review Cassandra permissions to ensure access is restricted to the minimum permissions sets.
- Review data access rules for potential breaches.
Lifecycle
- Once all the existing clusters are upgraded to version 4.0.17-1.0.0, 4.1.8-1.0.1 or a later version of Cassandra–Lucene-index, all the previous versions of the Apache Lucene add-on will reach End-of-Life on Instaclustr Platform.
If you have any further queries regarding this vulnerability and how it relates to Instaclustr services, please contact Instaclustr Support.
References
By Instaclustr Support