HarborGuardharborguardDatabase
Back to search
HIGHCVE-2026-44825Published Modified CNA apache

CVE-2026-44825: Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users

Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue. Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap

Metrics

CVSS v3.1
8.1
Severity
HIGH
Fixed in
Affected Products
1

Get notified

Email me when this CVE is updated: new fix versions, severity changes, or any record change.

HarborGuard Analysis

Synopsis

A hardcoded-credentials vulnerability in Apache Solr's Basic Authentication setup tool (bin/solr auth enable) affects versions 9.4.0 through 9.10.1 and 10.0.0. The tool silently installs a set of well-known default user accounts (superadmin, admin, search, index) alongside any user-specified account, reachable over the network without authentication. A remote attacker who knows these public defaults gains full administrative access to the Solr cluster. No fix versions have been published yet; HarborGuard is tracking the upstream advisory and will make a patched-image rebuild available as soon as Apache Solr 9.11.0 or 10.1.0 is released.

HarborGuard Coverage

Detection

Detection is available across every HarborGuard environment: the CVE is ingested from upstream advisory feeds within minutes of publication and matched against all customer images, including custom-built images that bundle Apache Solr. Any image running an affected version of Solr (9.4.0 through 9.10.1 or 10.0.0) surfaces in the HarborGuard findings dashboard automatically.

Available
Triage

HarborGuard scores this CVE at CVSS 8.1 (HIGH) and weights it against each environment's compliance policy to route the finding to the correct team inbox inside the customer org. Because exploitability requires only network access and no credentials, triage surfaces this finding at elevated priority for any environment where the affected Solr image is network-exposed.

Available
Patch

Because no upstream fix version has been published, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment Apache Solr 9.11.0 or 10.1.0 is released. For customers with auto-remediation enabled, a rebuild, regression run, and PR against affected workloads will be triggered automatically once the upstream fix is confirmed.

Pending upstream

Exploit Conditions

  • Network reachabilityRequired

    The attacker must reach the Solr HTTP API over the network; any internet- or LAN-exposed Solr instance using BasicAuth bootstrapped with the CLI tool is in scope.

  • AuthenticationNot required

    No credentials are required because the hardcoded default accounts (superadmin, admin, search, index) are publicly known and installed automatically during bootstrap.

  • Victim interactionNot required

    No user interaction is needed; the attacker contacts the Solr API directly without any action from an operator or end user.

  • Attack complexityDetail

    Attack complexity is rated High (AC:H), meaning the attacker must identify whether the target cluster was bootstrapped using bin/solr auth enable and that the default template accounts have not been removed or had their passwords changed.

Blast Radius

  • Reads all indexed data, including documents, configurations, and stored field values across every collection in the cluster.
  • Modifies or deletes index data, collection configurations, and security settings via the admin API.
  • Creates or removes user accounts and resets credentials, allowing persistent backdoor access.
  • Crashes or destabilizes the cluster by issuing destructive administrative commands such as collection deletion or core unloading.

How HarborGuard Handles This

Available on HarborGuard: because Apache Solr has not yet published a patched release for this vulnerability, HarborGuard monitors the upstream advisory on every ingest cycle and will trigger a patched-image rebuild automatically the moment versions 9.11.0 or 10.1.0 are available. For customers with auto-remediation enabled, that rebuild will be followed by a regression test run and a PR opened against affected workloads. While waiting for the upstream fix, HarborGuard's policy engine can flag affected images for manual remediation using the workaround described in the advisory: removing the template users (superadmin, admin, search, index) from security.json or rotating their passwords. Compensating controls such as network-policy rules that restrict inbound access to Solr ports and egress filtering on cluster nodes can further limit exposure and are surfaced as recommended actions in the HarborGuard findings UI for this CVE.

See how HarborGuard automates this
Affected packages
  • Apache Software Foundation / Apache Solr
    ≤ 9.10.1 · 10.0.0
CVSS Vector
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
References