How is CVE-2026-45083 exploited?

Network reachability (required): The vulnerable REST endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS from any network location. Authentication (not-required): The endpoint accepts requests from unauthenticated clients; no account or credential of any privilege level is needed. Victim interaction (not-required): The attack is fully server-side; no user action, click, or visit is required to trigger the vulnerability. Attack complexity (info): Exploitation is reliable and condition-free: the attacker sends a crafted POST request with a malicious Solr streaming expression and receives a response immediately.

What is the impact of CVE-2026-45083?

Reads the complete Solr index, exposing all indexed document content, metadata, and any sensitive fields stored in the search index. Modifies or deletes indexed records in default Solr deployments, corrupting the digitised-material catalog served to end users. Disrupts search and display functionality for the Goobi viewer application by removing or altering index data. May pivot to further Solr-level attacks depending on the Solr deployment configuration, including file reads via Solr data-import or streaming capabilities.

Back to search

CRITICALCVE-2026-45083Published 2026-05-27Modified 2026-05-28CNA GitHub_M

CVE-2026-45083: Goobi viewer: Unauthenticated Solr Streaming Expression Proxy

The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1.

HarborGuard Analysis

HarborGuard analysis

Synopsis

An unauthenticated Solr streaming expression proxy vulnerability exists in Goobi viewer (versions 4.8.0 through before 26.04.1). The REST endpoint POST /api/v1/index/stream accepts arbitrary Solr streaming expressions from any network client with no authentication required and forwards them directly to the backend Solr server. A remote attacker can read the entire Solr index and, in default Solr deployments, modify or delete indexed records. HarborGuard tracks this advisory and will make a patched-image rebuild available the moment the upstream fix is published.

HarborGuard Coverage

Detection

Detection of CVE-2026-45083 is available across every HarborGuard environment: the CVE is ingested from upstream feeds within minutes of publication and matched against all customer images, including custom-built images that bundle goobi-viewer-core. Any image running a version in the affected range (4.8.0 to before 26.04.1) is flagged automatically.

Available

Triage

HarborGuard scores this CVE at 9.8 CRITICAL using the published CVSS v3.1 vector and weights it against each environment's compliance policy to determine urgency and routing. Triage findings are available for routing to the appropriate team inbox within each customer organization.

Available

Patch

Because no fix version has been published yet, HarborGuard re-checks the advisory on every ingest cycle and will make a patched-image rebuild available the moment intranda ships the upstream fix for goobi-viewer-core. For customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be initiated automatically once the fix version becomes available.

Pending upstream

Exploit Conditions

Network reachabilityRequired
The vulnerable REST endpoint is exposed over the network, so an attacker must be able to reach the service via HTTP/HTTPS from any network location.
AuthenticationNot required
The endpoint accepts requests from unauthenticated clients; no account or credential of any privilege level is needed.
Victim interactionNot required
The attack is fully server-side; no user action, click, or visit is required to trigger the vulnerability.
Attack complexityDetail
Exploitation is reliable and condition-free: the attacker sends a crafted POST request with a malicious Solr streaming expression and receives a response immediately.

Blast Radius

Reads the complete Solr index, exposing all indexed document content, metadata, and any sensitive fields stored in the search index.
Modifies or deletes indexed records in default Solr deployments, corrupting the digitised-material catalog served to end users.
Disrupts search and display functionality for the Goobi viewer application by removing or altering index data.
May pivot to further Solr-level attacks depending on the Solr deployment configuration, including file reads via Solr data-import or streaming capabilities.

How HarborGuard Handles This

Available on HarborGuard: this CVE is monitored on every ingest cycle because no upstream fix has been published yet. Images running goobi-viewer-core versions 4.8.0 through before 26.04.1 are flagged as CRITICAL in any environment where they appear. While the fix is pending, compensating controls available to consider include network-policy isolation of the Goobi viewer pod to restrict access to POST /api/v1/index/stream from untrusted network sources, egress filtering between the viewer tier and the backend Solr service to limit which clients can forward streaming expressions, and disabling or gating the streaming endpoint at the reverse-proxy layer if the feature is not operationally required. The moment intranda publishes a fix version, HarborGuard will make a patched-image rebuild available; for customers who opt into auto-remediation, the rebuild, regression run, and PR against affected workloads will be initiated automatically.

See how HarborGuard automates this

CVSS v3.1: 9.8
Severity: CRITICAL
Fixed in: —
Affected Products: 1

Affected packages

intranda / goobi-viewer-core
>= 4.8.0, < 26.04.1

CVSS Vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

References