CVE-2025-26511: 
Java vulnerability analysis and mitigation

Systems running the Instaclustr fork of Stratio's Cassandra-Lucene-Index plugin versions 4.0-rc1-1.0.0 through 4.0.16-1.0.0 and 4.1.2-1.0.0 through 4.1.8-1.0.0, installed into Apache Cassandra version 4.x, are susceptible to a vulnerability which when successfully exploited could allow authenticated Cassandra users to remotely bypass RBAC and escalate their privileges (NVD, GitHub Advisory).

The vulnerability has been assigned a CVSS v3.1 base score of 8.8 (HIGH) with vector string CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H. The exploit requires specific conditions including: Cassandra 4.x installation, vulnerable version of the Cassandra-Lucene-Index plugin configured for use, data added to tables, Lucene index created, and Cassandra flush has been run (GitHub Advisory).

When successfully exploited, this vulnerability allows authenticated Cassandra users to bypass Role-Based Access Control (RBAC), potentially gaining unauthorized access to data and escalating their privileges to higher levels than intended (GitHub Advisory).

Immediate mitigation requires dropping all Lucene indexes and stopping use of the plugin. For a permanent fix, users should upgrade to version 4.0.17-1.0.0 or 4.1.8-1.0.1 of the Cassandra-Lucene-Index plugin. After upgrading, it is recommended to review all users in Cassandra to validate superuser privileges (GitHub Advisory).