CVE-2026-22444
BaseFortify
Publication date: 2026-01-21
Last updated on: 2026-01-27
Assigner: Apache Software Foundation
Description
Description
CVSS Scores
EPSS Scores
| Probability: | |
| Percentile: |
Meta Information
Affected Vendors & Products
| Vendor | Product | Version / Range |
|---|---|---|
| apache | solr | From 8.6.0 (inc) to 9.10.1 (exc) |
Helpful Resources
Exploitability
| CWE ID | Description |
|---|---|
| CWE-20 | The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. |
Attack-Flow Graph
AI Powered Q&A
How does this vulnerability affect compliance with common standards and regulations (like GDPR, HIPAA)?:
The vulnerability can lead to unauthorized read-only access to file-system paths and potential disclosure of NTLM user hashes on Windows systems, which may result in exposure of sensitive information. Such exposure could negatively impact compliance with data protection regulations like GDPR and HIPAA that require safeguarding personal and sensitive data. Mitigations include restricting access to the 'create core' API and upgrading to fixed versions, which help maintain compliance by preventing unauthorized data disclosure.
How can this vulnerability be detected on my network or system? Can you suggest some commands?
This vulnerability can be detected by checking if the Apache Solr 'create core' API is exposed and accessible to untrusted users, especially if Solr is running in standalone mode and using the 'allowPath' setting to restrict file access. Detection involves verifying if the RuleBasedAuthorizationPlugin is disabled or if low-trust users have permissions to create cores. Specific commands are not provided in the available resources or context.
Can you explain this vulnerability to me?
This vulnerability exists in the "create core" API of Apache Solr versions 8.6 through 9.10.0. It lacks sufficient input validation on some API parameters, which allows Solr to check and attempt to read file-system paths that should be disallowed by the "allowPaths" security setting. This can enable users to create cores using unexpected configsets accessible via the filesystem. On Windows systems configured to allow UNC paths, it can also lead to disclosure of NTLM "user" hashes.
How can this vulnerability impact me? :
The impact includes unauthorized reading of file-system paths that should be restricted, potentially allowing attackers to create Solr cores with unexpected configurations. On Windows systems with UNC path support, it can lead to disclosure of NTLM user hashes, which could be used for further attacks. This vulnerability can be exploited if Solr is running in standalone mode, the "allowPath" setting is used, and the "create core" API is accessible to untrusted users due to disabled or misconfigured authorization.
What immediate steps should I take to mitigate this vulnerability?
To mitigate this vulnerability, you should enable Solr's RuleBasedAuthorizationPlugin if it is disabled, and configure a permission list that prevents untrusted users from creating new Solr cores. Additionally, upgrade Apache Solr to version 9.10.1 or greater, which contains fixes for this issue.