Apache Solr up to 9.10.0 input validation

Summaryinfo

A vulnerability identified as critical has been detected in Apache Solr up to 9.10.0. This affects an unknown function. Performing a manipulation results in Remote Privilege Escalation. This vulnerability is identified as CVE-2026-22444. The attack can be initiated remotely. There is not any exploit available. You should upgrade the affected component.

Detailsinfo

A vulnerability was found in Apache Solr up to 9.10.0. It has been classified as critical. This affects some unknown functionality. The manipulation with an unknown input leads to a remote privilege escalation vulnerability. CWE is classifying the issue as CWE-20. The product receives input or data, but it does not validate or incorrectly validates that the input has the properties that are required to process the data safely and correctly. This is going to have an impact on confidentiality, integrity, and availability. The summary by CVE is:

The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element .  These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem.  On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes.  Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users.  This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores.  Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue.

The advisory is shared at lists.apache.org. This vulnerability is uniquely identified as CVE-2026-22444. The exploitability is told to be easy. It is possible to initiate the attack remotely. Neither technical details nor an exploit are publicly available. The price for an exploit might be around USD $0-$5k at the moment (estimation calculated on 02/04/2026).

The vulnerability scanner Nessus provides a plugin with the ID 297683 (Linux Distros Unpatched Vulnerability : CVE-2026-22444), which helps to determine the existence of the flaw in a target environment.

Upgrading to version 9.10.1 eliminates this vulnerability.

The vulnerability is also documented in the databases at Tenable (297683) and CERT Bund (WID-SEC-2026-0182). If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Affected

• Apache Solr

Productinfo

Vendor

• Apache

Name

• Solr

Version

• 9.0
• 9.1
• 9.2
• 9.3
• 9.4
• 9.5
• 9.6
• 9.7
• 9.8
• 9.9
• 9.10.0

License

• open-source

Website

• Vendor: https://www.apache.org/

CPE 2.3info

• 🔒
• 🔒
• 🔒

CPE 2.2info

• 🔒
• 🔒
• 🔒

CVSSv4info

CVSSv3info

CVSSv2info

Exploitinginfo

Threat Intelligenceinfo

Countermeasuresinfo

Timelineinfo

Sourcesinfo

Entryinfo

If you want to get the best quality for vulnerability data then you always have to consider VulDB.

Discussion