SB2026012211 - Multiple vulnerabilities in Apache Solr 

CSH
CYBERSECURITY HELP
Sign In REGISTER

Main Vulnerability Database SB2026012211

SB2026012211 - Multiple vulnerabilities in Apache Solr

Published: January 22, 2026

Security Bulletin ID SB2026012211
Severity
Medium
Patch available
YES
Number of vulnerabilities 2
Exploitation vector Remote access
Highest impact Data manipulation

Breakdown by Severity

Medium 50% Low 50%
  • Low
  • Medium
  • High
  • Critical

Description

This security bulletin contains information about 2 secuirty vulnerabilities.


1) Improper authorization (CVE-ID: CVE-2026-22022)

The vulnerability allows a remote user to bypass implemented security restrictions.

The vulnerability exists due to improper input validation in the Rule Based Authorization Plugin. A remote authenticated user can bypass certain "predefined permission" rules in the RuleBasedAuthorizationPlugin under specific configurations and gain unauthorized access to the application. 


2) Permissions, Privileges, and Access Controls (CVE-ID: CVE-2026-22444)

The vulnerability allows a remote user to bypass implemented security restriction.

The vulnerability exists due to insufficient input validation on certain API parameters. A remote authenticated user can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's  "allowPaths" security setting. These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem.  On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. 


Remediation

Install update from vendor's website.

References