VIR Vulnerability Intelligence Relay

CVE-2026-44825

high
Published 2026-06-01 · Modified 2026-06-02
💬 Discuss on Community ✚ Propose mitigation
CVSS v3
8.1
CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
CVSS v4 NEW
not yet in upstream
VIR risk
8.1

Description

Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue. Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap

Predictions

Exploit likelihood
88%
Patch ETA

Heuristic predictions, AS-IS, for prioritization only.

Mitigations

Mitigation details

Source: Debian Security Tracker · View original ↗ · DFSG

CVE-2026-44825 NameCVE-2026-44825 DescriptionHardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. As an immediate workaround without…

Workaround

without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue. Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) Vulnerable and fixed packages The table below lists information on source packages. Source PackageReleaseVersionStatus lucene-solr (PTS)bullseye3.6.2+dfsg-24fixed bookworm, trixie3.6.2+dfsg-26fixed forky, sid3.6.2+dfsg-27fixed The information below is based on the following data on fixed versions. PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs lucene-solrsource(unstable)(not affected) Notes - lucene-solr <not-affected> (Only affects 9.4.0 and later) https://issues.apache.org/jira/browse/SOLR-18233

CVE-2026-44825

NameCVE-2026-44825
DescriptionHardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue. Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap
SourceCVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
lucene-solr (PTS)bullseye3.6.2+dfsg-24fixed
bookworm, trixie3.6.2+dfsg-26fixed
forky, sid3.6.2+dfsg-27fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
lucene-solrsource(unstable)(not affected)

Notes

- lucene-solr <not-affected> (Only affects 9.4.0 and later)
https://issues.apache.org/jira/browse/SOLR-18233

Home - Debian Security - Source (Git)

Apply commands

text fix
Notes
- lucene-solr <not-affected> (Only affects 9.4.0 and later)https://issues.apache.org/jira/browse/SOLR-18233

OS impact
debian Debian Fixed 5 releases
VersionStatusFixed in
trixie Fixed 0
sid Fixed 0
forky Fixed 0
bullseye Fixed 0
bookworm Fixed 0

Application impact
VendorProductVersionsFixed
apache apachesolr{"startIncluding":"9.4.0","endIncluding":"9.10.1"}
apache apachesolr10.0.0

References

CWEs

CWE-798 CWE-1188

Community-verified mitigations for this CVE will appear above when contributors publish them.

Verify integrity in audit chain (admin only). AS-IS.