CVE-2026-22022 – Apache Solr deployments using RuleBasedAuthoriz... (How to Fix)

Q: What is the severity of CVE-2026-22022?

CVE-2026-22022 has a CVSS score of 8.2 (HIGH). Apache Solr deployments using RuleBasedAuthorizationPlugin with specific configurations are vulnerable to unauthorized API access. Attackers can bypass authorization controls to read sensitive configuration, schema, metrics, or security data. Only deployments meeting all five criteria listed in the description are affected.

📋 TL;DR

Apache Solr deployments using RuleBasedAuthorizationPlugin with specific configurations are vulnerable to unauthorized API access. Attackers can bypass authorization controls to read sensitive configuration, schema, metrics, or security data. Only deployments meeting all five criteria listed in the description are affected.

💻 Affected Systems

Products:

Apache Solr

Versions: 5.3.0 through 9.10.0

Operating Systems: All operating systems running affected Solr versions

Default Config Vulnerable: ✅ No

Notes: Only deployments meeting ALL criteria: 1) Using RuleBasedAuthorizationPlugin, 2) Multiple roles defined, 3) Using specific permission rules (config-read, config-edit, schema-read, metrics-read, or security-read), 4) No 'all' permission defined, 5) Unfiltered network access to Solr.

📦 What is this software?

Solr by Apache

View all CVEs affecting Solr →

⚠️ Risk & Real-World Impact

🔴

Worst Case

Unauthorized users gain read access to sensitive Solr configuration, schema, metrics, and security data, potentially exposing system information and configuration details.

🟠

Likely Case

Information disclosure of Solr configuration and system metrics, which could aid further attacks or expose sensitive deployment details.

🟢

If Mitigated

With proper controls like network filtering or the 'all' permission configured, the vulnerability is effectively neutralized.

🌐 Internet-Facing: HIGH - Direct internet exposure allows attackers to exploit this without authentication if vulnerable configuration exists.

🏢 Internal Only: MEDIUM - Internal attackers or compromised systems could exploit this, but requires specific vulnerable configuration.

🎯 Exploit Status

Public PoC: ✅ No

Weaponized: UNKNOWN

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending HTTP requests to vulnerable Solr endpoints. No authentication needed if network access exists.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Solr 9.10.1

Vendor Advisory: https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn

Restart Required: Yes

Instructions:

1. Download Solr 9.10.1 or later from Apache Solr website. 2. Backup current Solr installation and data. 3. Stop Solr service. 4. Replace Solr binaries with patched version. 5. Restart Solr service. 6. Verify functionality.

🔧 Temporary Workarounds

Add 'all' permission to security.json

all

Modify RuleBasedAuthorizationPlugin configuration to include the 'all' pre-defined permission assigned to admin/privileged roles

Edit security.json to add: {"name": "all", "role": "admin"} to permissions array

🧯 If You Can't Patch

Implement network-level controls to restrict direct access to Solr APIs
Review and modify RuleBasedAuthorizationPlugin configuration to remove vulnerable permission rules

🔍 How to Verify

Check if Vulnerable:

Check if using Solr 5.3.0-9.10.0, review security.json for RuleBasedAuthorizationPlugin configuration meeting all vulnerability criteria

Check Version:

curl http://solr-host:8983/solr/admin/info/system | grep solr-spec-version

Verify Fix Applied:

After upgrade to 9.10.1+, verify version and test that unauthorized API access attempts are properly blocked

📡 Detection & Monitoring

Log Indicators:

Unauthorized access attempts to /solr/admin/config, /solr/admin/schema, /solr/admin/metrics, or /solr/admin/security endpoints

Network Indicators:

HTTP requests to Solr admin APIs from unauthorized sources

SIEM Query:

source_ip NOT IN authorized_ips AND dest_port=8983 AND (uri_path CONTAINS '/solr/admin/config' OR uri_path CONTAINS '/solr/admin/schema' OR uri_path CONTAINS '/solr/admin/metrics' OR uri_path CONTAINS '/solr/admin/security')

📊 Metadata

CVE ID: CVE-2026-22022

CVSS v3 Score: 8.2 (HIGH)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

CWE: CWE-285

EPSS Score: 0.19% exploit probability (40.8th percentile)

Published: January 21, 2026

Last Updated: January 27, 2026

🔗 References

https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn Mailing List,Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/01/20/4 Mailing List,Third Party Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2026-22022, you might also want to check these: