CVE-2025-26511 HIGH

CVE-2025-26511: Cassandra-Lucene-Index allows bypass of Cassandra RBAC

Vendor Netapp
Product Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin
Weakness CWE-863 · Incorrect authorization
Published February 13, 2025
Last update January 22, 2026

CVSS base score

8.8/10
Attack vector Network
Attack complexity Low
Privileges required Low
User interaction None
Confidentiality High
Integrity High

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H

What the vulnerability does

01Description

Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC and escalate their privileges.

Key dates

02Disclosure timeline

February 13, 2025 CVE published
January 22, 2026 Record updated