Apache Solr has patched a high-severity vulnerability that silently installs hardcoded default users during BasicAuth setup, granting remote attackers backdoor access to full cluster control without any exploitation.
A critical security flaw, officially tracked as CVE-2026-44825, has been disclosed in Apache Solr, one of the world’s most widely deployed open-source enterprise search platforms.
The vulnerability resides in the bin/solr auth enable command-line tool used to bootstrap Basic Authentication and affects all deployments running Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0.
Discovered by Naveen Sunkavally of Horizon3.ai and reported to the Apache Solr security team, the flaw was publicly disclosed on May 29–30, 2026, and is tracked internally as SOLR-18233.
Apache Solr is an open-source enterprise search platform built on Apache Lucene, powering search infrastructure across e-commerce sites, enterprise portals, and cloud-native applications globally.
Because Solr instances often index sensitive business data, product catalogs, customer records, and internal documents, unauthorized administrative access can lead to severe data-breach consequences.
The platform’s admin APIs operate on well-known ports (8983/8984), making internet-exposed deployments particularly high-value targets.
When administrators use the bin/solr auth enable command to configure BasicAuth, Solr silently installs four hardcoded template user accounts superadmin, admin, search, and index alongside the user-specified account.
These accounts are written directly into security.json with publicly known default credentials, creating an invisible administrative backdoor.
A remote attacker with network access to the Solr port needs only these well-known credentials to gain full administrative control over the entire cluster, no exploit code or advanced techniques required.
The vulnerability is particularly dangerous because it operates silently: the administrator configuring authentication is completely unaware that additional privileged accounts have been created.
Unlike most misconfigurations that stem from user error, this flaw is introduced by the security tooling itself, meaning that well-intentioned hardening attempts actually widen the attack surface.
Affected Versions
| Component | Affected Versions |
|---|---|
org.apache.solr:solr-core | 9.4.0 through 9.10.1 |
org.apache.solr:solr-core | 10.0.0 (exactly) |
| Fixed in (upcoming) | 9.11.0 and 10.1.0 |
Clusters are not affected if bin/solr auth enable was never used to bootstrap BasicAuth, or if template users were already assigned strong, non-default passwords after initial setup.
Since patched versions 9.11.0 and 10.1.0 were not yet released at the time of disclosure, Apache recommends these immediate mitigation steps:
- Delete the template users (
superadmin,admin,search,index) directly fromsecurity.json - Change the passwords of all template users to strong, unique credentials if deletion is not immediately possible
- Restrict network access to Solr ports (8983/8984) using firewall rules, reverse proxies, or API gateways to limit exposure
- Audit your
security.jsonfile to identify any unrecognized or legacy user accounts across all cluster nodes - Implement network segmentation to ensure Solr instances are not reachable from untrusted or public networks
Organizations should treat any Solr cluster bootstrapped with bin/solr auth enable between versions 9.4.0 and 10.0.0 is potentially compromised until these steps are confirmed completed.
Mitigation
The Apache Solr development team has confirmed that versions 9.11.0 and 10.1.0, once released, will fully resolve CVE-2026-44825.
Upgrading to either fixed release will be sufficient to eliminate the hardcoded credential injection behavior from the bin/solr auth enable Security teams should monitor the Apache Solr security page and the users@solr.apache.org mailing list for release announcements.
This vulnerability continues a concerning pattern of Apache Solr authentication weaknesses previous CVEs including CVE-2026-22022 (authorization bypass) and CVE-2024-45216 (authentication bypass via PKIAuthenticationPlugin) highlight the platform’s complex security attack surface.
Severity: HIGH This vulnerability requires no user interaction, no special privileges, and is exploitable over the network using publicly known credentials.
A successful attack grants a threat actor complete administrative access, enabling data exfiltration, index manipulation, configuration tampering, or use of Solr as a pivot point for deeper network intrusion.
Organizations in the e-commerce, healthcare, financial services, and media industries that are heavily reliant on Solr for search infrastructure face elevated risk.
FAQ
Q1: Does CVE-2026-44825 affect Solr clusters not using bin/solr auth enable?
No, clusters that bootstrapped BasicAuth through manual security.json Configuration is not affected.
Q2: Can the vulnerability be exploited without network access to Solr?
No, an attacker must have direct network access to the Solr port (typically 8983) to exploit this flaw.
Q3: Is a patch already available for CVE-2026-44825?
Not yet at disclosure time, fixes are coming in versions 9.11.0 and 10.1.0; immediate workarounds involve editing security.json.
Q4: Who discovered CVE-2026-44825?
Naveen Sunkavally of Horizon3.ai discovered and reported this vulnerability to the Apache Solr security team.
Site: thecybrdef.com
For more insights and updates, follow us on Google News, Twitter, and LinkedIn.
About the Author
