- Product: Apache Software Foundation Apache Lucene.Net
- Vulnerabilities: 3 flaws (CVE-2026-47896, CVE-2026-47897, CVE-2026-47898)
- Highest severity: 9.8 (Medium · CVSSv3)
- Worst impact: XXE in Lucene.Net.Analysis.Common PatternParser
- Status: No confirmed exploitation yet; patches available
- Action: Update to 4.8.0-beta00018 now
| CVE | CVSS | Type | Fixed in | Status |
|---|---|---|---|---|
| CVE-2026-47896 | 8.9 | Unauthenticated arbitrary file read on the Lucene.Net.Replicator replication server | 4.8.0-beta00018 | Not exploited |
| CVE-2026-47897 | 8.9 | Arbitrary file write from malicious server to Lucene.Net.Replicator client | 4.8.0-beta00018 | Not exploited |
| CVE-2026-47898 | 4 | XXE in Lucene.Net.Analysis.Common PatternParser | 4.8.0-beta00018 | Not exploited |
The Apache project patched three Apache Lucene.NET vulnerability issues in the 4.8.0-beta00018 release. Two of the flaws carry a high CVSS score of 8.9. Both live inside the Lucene.Net.Replicator library.
Why This Apache Lucene.NET Vulnerability Set Matters
Lucene.Net gives many .NET applications their full-text search features. As a result, one library flaw can reach a wide install base. Two of these bugs also need no authentication, so the risk climbs fast.
An attacker could read private files or plant malicious ones on affected systems. Therefore, teams running the replication server should treat this as urgent.
How the Attack Works
The two high-severity bugs both come from path traversal. In short, the code fails to keep a pathname inside its intended directory. An attacker then reaches files that should stay off limits.
CVE-2026-47896 and CVE-2026-47897
CVE-2026-47896 lets an unauthenticated attacker read arbitrary files from the Lucene.Net.Replicator replication server. Meanwhile, CVE-2026-47897 lets a malicious server write arbitrary files to a Replicator client. Both abuse the same weak path handling.
CVE-2026-47898
CVE-2026-47898 is an XXE flaw in the PatternParser within Lucene.Net.Analysis.Common. It carries a lower CVSS score of 4.0. Still, an XXE bug can leak data through crafted XML input.
Affected Versions
The Replicator flaws affect builds from 4.8.0-beta00005 before 4.8.0-beta00018. The XXE flaw affects the same beta range in Lucene.Net.Analysis.Common. Older stable branches sit outside this advisory.
Patch and Mitigation
The maintainers fixed all three issues in 4.8.0-beta00018, so upgrade now. You can pull the current build from the official Lucene.NET download page. Restrict network access to any exposed Replicator server until you finish patching.
No public exploit code or in-the-wild activity has been confirmed yet. Even so, do not wait, because the fix already ships and the two Replicator bugs need no login.
Support Our Threat Intelligence
If you find our CVE report and cybersecurity news helpful, consider supporting our work.