Search Engine Exposed: Apache Solr Flaws Leak Data & Bypass Auth

Apache Solr administrators are being urged to update their instances immediately following the disclosure of two moderate-severity vulnerabilities that could expose sensitive data and allow unauthorized access. The flaws, affecting widespread versions of the open-source search platform, target the “create core” API and the authorization plugin itself, creating a precarious situation for unpatched deployments.

The first vulnerability, CVE-2026-22444, strikes at the heart of Solr’s file management. Affecting versions 8.6 through 9.10.0, the flaw lies in the “create core” API, which lacks sufficient input validation.

This oversight allows the system to check for and attempt to read file-system paths that should explicitly be blocked by Solr’s allowPaths security setting. The implications are twofold:

• Unexpected Configs: Attackers could trick Solr into creating cores using unexpected configsets found elsewhere on the filesystem.
• Windows Exposure: For Windows deployments configured to allow UNC paths, the vulnerability is even more dangerous. It can trigger unauthorized read accesses that may disclose NTLM “user” hashes, potentially handing credentials to an attacker.

This flaw specifically impacts Solr instances running in “standalone” mode where the create core API is exposed to untrusted users—often a result of disabled authorization plugins or overly permissive roles.

The second vulnerability, CVE-2026-22022, compromises the very mechanism designed to enforce security. Affecting a broad range of versions from 5.3 through 9.10.0, this flaw allows for an unauthorized bypass of specific rules in the RuleBasedAuthorizationPlugin.

Due to “insufficiently strict input validation,” attackers can bypass restrictions and access certain Solr APIs. However, the vulnerability requires a “perfect storm” of configuration errors to be exploitable. Deployments are at risk if they:

• Use the RuleBasedAuthorizationPlugin with multiple roles defined.
• Use specific pre-defined permission rules like config-read, config-edit, or security-read.
• Crucially: Fail to define the catch-all “all” permission rule in their configuration.

The Apache Software Foundation has released Solr 9.10.1 to address both issues.

For those unable to patch immediately, mitigation strategies are available:

• For CVE-2026-22444: Enable the RuleBasedAuthorizationPlugin and configure a strict permission list that prevents untrusted users from creating new Solr cores.
• For CVE-2026-22022: Update the authorization configuration to explicitly specify the “all” pre-defined permission and associate it with an administrative role.

Related Posts:

• Hacker aims at Apache Solr vulnerability to install a cryptocurrency miner
• Apache Solr affected by XML External Entity attack (CVE-2022-39135)
• CVE-2023-50290: Apache Solr’s ‘Important’ Severity Security Flaw
• CVE-2024-45216: Critical Authentication Bypass Vulnerability Patched in Apache Solr