Vulnerability-Lookup

CVE-2026-22022 (GCVE-0-2026-22022)

Vulnerability from cvelistv5 – Published: 2026-01-21 13:41 – Updated: 2026-01-21 15:35

Title

Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin

Summary

Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role. Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.

Severity ?

No CVSS data available.

CWE

CWE-285 - Improper Authorization

Assigner

apache

References

URL

Tags

https://lists.apache.org/thread/d59hqbgo7p62myq7m…

vendor-advisory

Impacted products

	Vendor	Product	Version
	Apache Software Foundation	Apache Solr	Affected: 5.3 , ≤ 9.10.0 (semver)

Credits

monkeontheroof

Show details on NVD website

JSON

To clipboard

{
  "containers": {
    "adp": [
      {
        "providerMetadata": {
          "dateUpdated": "2026-01-21T14:13:29.934Z",
          "orgId": "af854a3a-2127-422b-91ae-364da2661108",
          "shortName": "CVE"
        },
        "references": [
          {
            "url": "http://www.openwall.com/lists/oss-security/2026/01/20/4"
          }
        ],
        "title": "CVE Program Container"
      },
      {
        "metrics": [
          {
            "cvssV3_1": {
              "attackComplexity": "LOW",
              "attackVector": "NETWORK",
              "availabilityImpact": "NONE",
              "baseScore": 8.2,
              "baseSeverity": "HIGH",
              "confidentialityImpact": "HIGH",
              "integrityImpact": "LOW",
              "privilegesRequired": "NONE",
              "scope": "UNCHANGED",
              "userInteraction": "NONE",
              "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
              "version": "3.1"
            }
          },
          {
            "other": {
              "content": {
                "id": "CVE-2026-22022",
                "options": [
                  {
                    "Exploitation": "none"
                  },
                  {
                    "Automatable": "yes"
                  },
                  {
                    "Technical Impact": "partial"
                  }
                ],
                "role": "CISA Coordinator",
                "timestamp": "2026-01-21T15:34:12.691456Z",
                "version": "2.0.3"
              },
              "type": "ssvc"
            }
          }
        ],
        "providerMetadata": {
          "dateUpdated": "2026-01-21T15:35:07.116Z",
          "orgId": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
          "shortName": "CISA-ADP"
        },
        "title": "CISA ADP Vulnrichment"
      }
    ],
    "cna": {
      "affected": [
        {
          "defaultStatus": "unaffected",
          "product": "Apache Solr",
          "vendor": "Apache Software Foundation",
          "versions": [
            {
              "lessThanOrEqual": "9.10.0",
              "status": "affected",
              "version": "5.3",
              "versionType": "semver"
            }
          ]
        }
      ],
      "credits": [
        {
          "lang": "en",
          "type": "finder",
          "value": "monkeontheroof"
        }
      ],
      "descriptions": [
        {
          "lang": "en",
          "supportingMedia": [
            {
              "base64": false,
              "type": "text/html",
              "value": "Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr\u0027s \"Rule Based Authorization Plugin\" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.\u0026nbsp; Only deployments that meet \u003cb\u003eall\u003c/b\u003e of the following criteria are impacted by this vulnerability:\u003cbr\u003e\u003cbr\u003e\u003col\u003e\u003cli\u003eUse of Solr\u0027s \"RuleBasedAuthorizationPlugin\"\u003c/li\u003e\u003cli\u003eA RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple \"roles\"\u003c/li\u003e\u003cli\u003eA RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: \"config-read\", \"config-edit\", \"schema-read\", \"metrics-read\", or \"security-read\".\u003c/li\u003e\u003cli\u003eA RuleBasedAuthorizationPlugin permission list that \u003cb\u003edoesn\u0027t\u003c/b\u003e define the \"all\" pre-defined permission\u003c/li\u003e\u003cli\u003eA networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway)\u003cbr\u003e\u003c/li\u003e\u003c/ol\u003eUsers can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the \"all\" pre-defined permission and associates the permission with an \"admin\" or other privileged role.\u0026nbsp; Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.\u0026nbsp;"
            }
          ],
          "value": "Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr\u0027s \"Rule Based Authorization Plugin\" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.\u00a0 Only deployments that meet all of the following criteria are impacted by this vulnerability:\n\n  *  Use of Solr\u0027s \"RuleBasedAuthorizationPlugin\"\n  *  A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple \"roles\"\n  *  A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: \"config-read\", \"config-edit\", \"schema-read\", \"metrics-read\", or \"security-read\".\n  *  A RuleBasedAuthorizationPlugin permission list that doesn\u0027t define the \"all\" pre-defined permission\n  *  A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway)\n\nUsers can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the \"all\" pre-defined permission and associates the permission with an \"admin\" or other privileged role.\u00a0 Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1."
        }
      ],
      "metrics": [
        {
          "other": {
            "content": {
              "text": "moderate"
            },
            "type": "Textual description of severity"
          }
        }
      ],
      "problemTypes": [
        {
          "descriptions": [
            {
              "cweId": "CWE-285",
              "description": "CWE-285 Improper Authorization",
              "lang": "en",
              "type": "CWE"
            }
          ]
        }
      ],
      "providerMetadata": {
        "dateUpdated": "2026-01-21T13:41:46.346Z",
        "orgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
        "shortName": "apache"
      },
      "references": [
        {
          "tags": [
            "vendor-advisory"
          ],
          "url": "https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn"
        }
      ],
      "source": {
        "defect": [
          "SOLR-18054"
        ],
        "discovery": "EXTERNAL"
      },
      "title": "Apache Solr: Unauthorized bypass of certain \"predefined permission\" rules in the RuleBasedAuthorizationPlugin",
      "x_generator": {
        "engine": "Vulnogram 0.2.0"
      }
    }
  },
  "cveMetadata": {
    "assignerOrgId": "f0158376-9dc2-43b6-827c-5f631a4d8d09",
    "assignerShortName": "apache",
    "cveId": "CVE-2026-22022",
    "datePublished": "2026-01-21T13:41:46.346Z",
    "dateReserved": "2026-01-05T20:52:03.246Z",
    "dateUpdated": "2026-01-21T15:35:07.116Z",
    "state": "PUBLISHED"
  },
  "dataType": "CVE_RECORD",
  "dataVersion": "5.2",
  "vulnerability-lookup:meta": {
    "nvd": "{\"cve\":{\"id\":\"CVE-2026-22022\",\"sourceIdentifier\":\"security@apache.org\",\"published\":\"2026-01-21T14:16:06.573\",\"lastModified\":\"2026-01-21T16:16:10.360\",\"vulnStatus\":\"Received\",\"cveTags\":[],\"descriptions\":[{\"lang\":\"en\",\"value\":\"Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr\u0027s \\\"Rule Based Authorization Plugin\\\" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.\u00a0 Only deployments that meet all of the following criteria are impacted by this vulnerability:\\n\\n  *  Use of Solr\u0027s \\\"RuleBasedAuthorizationPlugin\\\"\\n  *  A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple \\\"roles\\\"\\n  *  A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: \\\"config-read\\\", \\\"config-edit\\\", \\\"schema-read\\\", \\\"metrics-read\\\", or \\\"security-read\\\".\\n  *  A RuleBasedAuthorizationPlugin permission list that doesn\u0027t define the \\\"all\\\" pre-defined permission\\n  *  A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway)\\n\\nUsers can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the \\\"all\\\" pre-defined permission and associates the permission with an \\\"admin\\\" or other privileged role.\u00a0 Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.\"}],\"metrics\":{\"cvssMetricV31\":[{\"source\":\"134c704f-9b21-4f2e-91b3-4a467353bcc0\",\"type\":\"Secondary\",\"cvssData\":{\"version\":\"3.1\",\"vectorString\":\"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\",\"baseScore\":8.2,\"baseSeverity\":\"HIGH\",\"attackVector\":\"NETWORK\",\"attackComplexity\":\"LOW\",\"privilegesRequired\":\"NONE\",\"userInteraction\":\"NONE\",\"scope\":\"UNCHANGED\",\"confidentialityImpact\":\"HIGH\",\"integrityImpact\":\"LOW\",\"availabilityImpact\":\"NONE\"},\"exploitabilityScore\":3.9,\"impactScore\":4.2}]},\"weaknesses\":[{\"source\":\"security@apache.org\",\"type\":\"Secondary\",\"description\":[{\"lang\":\"en\",\"value\":\"CWE-285\"}]}],\"references\":[{\"url\":\"https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn\",\"source\":\"security@apache.org\"},{\"url\":\"http://www.openwall.com/lists/oss-security/2026/01/20/4\",\"source\":\"af854a3a-2127-422b-91ae-364da2661108\"}]}}",
    "vulnrichment": {
      "containers": "{\"adp\": [{\"title\": \"CVE Program Container\", \"references\": [{\"url\": \"http://www.openwall.com/lists/oss-security/2026/01/20/4\"}], \"providerMetadata\": {\"orgId\": \"af854a3a-2127-422b-91ae-364da2661108\", \"shortName\": \"CVE\", \"dateUpdated\": \"2026-01-21T14:13:29.934Z\"}}, {\"title\": \"CISA ADP Vulnrichment\", \"metrics\": [{\"cvssV3_1\": {\"scope\": \"UNCHANGED\", \"version\": \"3.1\", \"baseScore\": 8.2, \"attackVector\": \"NETWORK\", \"baseSeverity\": \"HIGH\", \"vectorString\": \"CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N\", \"integrityImpact\": \"LOW\", \"userInteraction\": \"NONE\", \"attackComplexity\": \"LOW\", \"availabilityImpact\": \"NONE\", \"privilegesRequired\": \"NONE\", \"confidentialityImpact\": \"HIGH\"}}, {\"other\": {\"type\": \"ssvc\", \"content\": {\"id\": \"CVE-2026-22022\", \"role\": \"CISA Coordinator\", \"options\": [{\"Exploitation\": \"none\"}, {\"Automatable\": \"yes\"}, {\"Technical Impact\": \"partial\"}], \"version\": \"2.0.3\", \"timestamp\": \"2026-01-21T15:34:12.691456Z\"}}}], \"providerMetadata\": {\"orgId\": \"134c704f-9b21-4f2e-91b3-4a467353bcc0\", \"shortName\": \"CISA-ADP\", \"dateUpdated\": \"2026-01-21T15:34:28.461Z\"}}], \"cna\": {\"title\": \"Apache Solr: Unauthorized bypass of certain \\\"predefined permission\\\" rules in the RuleBasedAuthorizationPlugin\", \"source\": {\"defect\": [\"SOLR-18054\"], \"discovery\": \"EXTERNAL\"}, \"credits\": [{\"lang\": \"en\", \"type\": \"finder\", \"value\": \"monkeontheroof\"}], \"metrics\": [{\"other\": {\"type\": \"Textual description of severity\", \"content\": {\"text\": \"moderate\"}}}], \"affected\": [{\"vendor\": \"Apache Software Foundation\", \"product\": \"Apache Solr\", \"versions\": [{\"status\": \"affected\", \"version\": \"5.3\", \"versionType\": \"semver\", \"lessThanOrEqual\": \"9.10.0\"}], \"defaultStatus\": \"unaffected\"}], \"references\": [{\"url\": \"https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn\", \"tags\": [\"vendor-advisory\"]}], \"x_generator\": {\"engine\": \"Vulnogram 0.2.0\"}, \"descriptions\": [{\"lang\": \"en\", \"value\": \"Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr\u0027s \\\"Rule Based Authorization Plugin\\\" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.\\u00a0 Only deployments that meet all of the following criteria are impacted by this vulnerability:\\n\\n  *  Use of Solr\u0027s \\\"RuleBasedAuthorizationPlugin\\\"\\n  *  A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple \\\"roles\\\"\\n  *  A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: \\\"config-read\\\", \\\"config-edit\\\", \\\"schema-read\\\", \\\"metrics-read\\\", or \\\"security-read\\\".\\n  *  A RuleBasedAuthorizationPlugin permission list that doesn\u0027t define the \\\"all\\\" pre-defined permission\\n  *  A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway)\\n\\nUsers can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the \\\"all\\\" pre-defined permission and associates the permission with an \\\"admin\\\" or other privileged role.\\u00a0 Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.\", \"supportingMedia\": [{\"type\": \"text/html\", \"value\": \"Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr\u0027s \\\"Rule Based Authorization Plugin\\\" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.\u0026nbsp; Only deployments that meet \u003cb\u003eall\u003c/b\u003e of the following criteria are impacted by this vulnerability:\u003cbr\u003e\u003cbr\u003e\u003col\u003e\u003cli\u003eUse of Solr\u0027s \\\"RuleBasedAuthorizationPlugin\\\"\u003c/li\u003e\u003cli\u003eA RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple \\\"roles\\\"\u003c/li\u003e\u003cli\u003eA RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: \\\"config-read\\\", \\\"config-edit\\\", \\\"schema-read\\\", \\\"metrics-read\\\", or \\\"security-read\\\".\u003c/li\u003e\u003cli\u003eA RuleBasedAuthorizationPlugin permission list that \u003cb\u003edoesn\u0027t\u003c/b\u003e define the \\\"all\\\" pre-defined permission\u003c/li\u003e\u003cli\u003eA networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway)\u003cbr\u003e\u003c/li\u003e\u003c/ol\u003eUsers can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the \\\"all\\\" pre-defined permission and associates the permission with an \\\"admin\\\" or other privileged role.\u0026nbsp; Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.\u0026nbsp;\", \"base64\": false}]}], \"problemTypes\": [{\"descriptions\": [{\"lang\": \"en\", \"type\": \"CWE\", \"cweId\": \"CWE-285\", \"description\": \"CWE-285 Improper Authorization\"}]}], \"providerMetadata\": {\"orgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"shortName\": \"apache\", \"dateUpdated\": \"2026-01-21T13:41:46.346Z\"}}}",
      "cveMetadata": "{\"cveId\": \"CVE-2026-22022\", \"state\": \"PUBLISHED\", \"dateUpdated\": \"2026-01-21T15:35:07.116Z\", \"dateReserved\": \"2026-01-05T20:52:03.246Z\", \"assignerOrgId\": \"f0158376-9dc2-43b6-827c-5f631a4d8d09\", \"datePublished\": \"2026-01-21T13:41:46.346Z\", \"assignerShortName\": \"apache\"}",
      "dataType": "CVE_RECORD",
      "dataVersion": "5.2"
    }
  }
}

FKIE_CVE-2026-22022

Vulnerability from fkie_nvd - Published: 2026-01-21 14:16 - Updated: 2026-01-21 16:16

Severity ?

8.2 (High) - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Summary

References

	URL	Tags
	security@apache.org	https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn
	af854a3a-2127-422b-91ae-364da2661108	http://www.openwall.com/lists/oss-security/2026/01/20/4

Impacted products

	Vendor	Product	Version

JSON

To clipboard

{
  "cveTags": [],
  "descriptions": [
    {
      "lang": "en",
      "value": "Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr\u0027s \"Rule Based Authorization Plugin\" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.\u00a0 Only deployments that meet all of the following criteria are impacted by this vulnerability:\n\n  *  Use of Solr\u0027s \"RuleBasedAuthorizationPlugin\"\n  *  A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple \"roles\"\n  *  A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: \"config-read\", \"config-edit\", \"schema-read\", \"metrics-read\", or \"security-read\".\n  *  A RuleBasedAuthorizationPlugin permission list that doesn\u0027t define the \"all\" pre-defined permission\n  *  A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway)\n\nUsers can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the \"all\" pre-defined permission and associates the permission with an \"admin\" or other privileged role.\u00a0 Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1."
    }
  ],
  "id": "CVE-2026-22022",
  "lastModified": "2026-01-21T16:16:10.360",
  "metrics": {
    "cvssMetricV31": [
      {
        "cvssData": {
          "attackComplexity": "LOW",
          "attackVector": "NETWORK",
          "availabilityImpact": "NONE",
          "baseScore": 8.2,
          "baseSeverity": "HIGH",
          "confidentialityImpact": "HIGH",
          "integrityImpact": "LOW",
          "privilegesRequired": "NONE",
          "scope": "UNCHANGED",
          "userInteraction": "NONE",
          "vectorString": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
          "version": "3.1"
        },
        "exploitabilityScore": 3.9,
        "impactScore": 4.2,
        "source": "134c704f-9b21-4f2e-91b3-4a467353bcc0",
        "type": "Secondary"
      }
    ]
  },
  "published": "2026-01-21T14:16:06.573",
  "references": [
    {
      "source": "security@apache.org",
      "url": "https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn"
    },
    {
      "source": "af854a3a-2127-422b-91ae-364da2661108",
      "url": "http://www.openwall.com/lists/oss-security/2026/01/20/4"
    }
  ],
  "sourceIdentifier": "security@apache.org",
  "vulnStatus": "Received",
  "weaknesses": [
    {
      "description": [
        {
          "lang": "en",
          "value": "CWE-285"
        }
      ],
      "source": "security@apache.org",
      "type": "Secondary"
    }
  ]
}

GHSA-QR3P-2XJ2-Q7HQ

Vulnerability from github – Published: 2026-01-21 15:31 – Updated: 2026-01-21 22:56

Summary

Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin

Details

Use of Solr's "RuleBasedAuthorizationPlugin"
A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles"
A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read".
A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission
A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway)

Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role. Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.

Severity ?

8.2 (High)


                  
                    CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N

Show details on source website

JSON

To clipboard

{
  "affected": [
    {
      "package": {
        "ecosystem": "Maven",
        "name": "org.apache.solr:solr-core"
      },
      "ranges": [
        {
          "events": [
            {
              "introduced": "5.3.0"
            },
            {
              "fixed": "9.10.1"
            }
          ],
          "type": "ECOSYSTEM"
        }
      ]
    }
  ],
  "aliases": [
    "CVE-2026-22022"
  ],
  "database_specific": {
    "cwe_ids": [
      "CWE-285"
    ],
    "github_reviewed": true,
    "github_reviewed_at": "2026-01-21T22:56:47Z",
    "nvd_published_at": "2026-01-21T14:16:06Z",
    "severity": "HIGH"
  },
  "details": "Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr\u0027s \"Rule Based Authorization Plugin\" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.\u00a0 Only deployments that meet all of the following criteria are impacted by this vulnerability:\n\n  *  Use of Solr\u0027s \"RuleBasedAuthorizationPlugin\"\n  *  A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple \"roles\"\n  *  A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: \"config-read\", \"config-edit\", \"schema-read\", \"metrics-read\", or \"security-read\".\n  *  A RuleBasedAuthorizationPlugin permission list that doesn\u0027t define the \"all\" pre-defined permission\n  *  A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway)\n\nUsers can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the \"all\" pre-defined permission and associates the permission with an \"admin\" or other privileged role.\u00a0 Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.",
  "id": "GHSA-qr3p-2xj2-q7hq",
  "modified": "2026-01-21T22:56:47Z",
  "published": "2026-01-21T15:31:16Z",
  "references": [
    {
      "type": "ADVISORY",
      "url": "https://nvd.nist.gov/vuln/detail/CVE-2026-22022"
    },
    {
      "type": "WEB",
      "url": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0"
    },
    {
      "type": "PACKAGE",
      "url": "https://github.com/apache/solr"
    },
    {
      "type": "WEB",
      "url": "https://issues.apache.org/jira/browse/SOLR-18054"
    },
    {
      "type": "WEB",
      "url": "https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn"
    },
    {
      "type": "WEB",
      "url": "http://www.openwall.com/lists/oss-security/2026/01/20/4"
    }
  ],
  "schema_version": "1.4.0",
  "severity": [
    {
      "score": "CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N",
      "type": "CVSS_V3"
    }
  ],
  "summary": "Apache Solr: Unauthorized bypass of certain \"predefined permission\" rules in the RuleBasedAuthorizationPlugin"
}

WID-SEC-W-2026-0182

Vulnerability from csaf_certbund - Published: 2026-01-20 23:00 - Updated: 2026-01-21 23:00

Summary

Apache Solr: Mehrere Schwachstellen

Notes

Das BSI ist als Anbieter für die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch dafür verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgfältig im Einzelfall zu prüfen.

Produktbeschreibung

Apache Solr ist ein Suchmaschinen-Server für Unternehmen mit einer REST-ähnlichen API.

Angriff

Ein Angreifer kann mehrere Schwachstellen in Apache Solr ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.

Betroffene Betriebssysteme

- Sonstiges - UNIX

JSON

To clipboard

{
  "document": {
    "aggregate_severity": {
      "text": "hoch"
    },
    "category": "csaf_base",
    "csaf_version": "2.0",
    "distribution": {
      "tlp": {
        "label": "WHITE",
        "url": "https://www.first.org/tlp/"
      }
    },
    "lang": "de-DE",
    "notes": [
      {
        "category": "legal_disclaimer",
        "text": "Das BSI ist als Anbieter f\u00fcr die eigenen, zur Nutzung bereitgestellten Inhalte nach den allgemeinen Gesetzen verantwortlich. Nutzerinnen und Nutzer sind jedoch daf\u00fcr verantwortlich, die Verwendung und/oder die Umsetzung der mit den Inhalten bereitgestellten Informationen sorgf\u00e4ltig im Einzelfall zu pr\u00fcfen."
      },
      {
        "category": "description",
        "text": "Apache Solr ist ein Suchmaschinen-Server f\u00fcr Unternehmen mit einer REST-\u00e4hnlichen API.",
        "title": "Produktbeschreibung"
      },
      {
        "category": "summary",
        "text": "Ein Angreifer kann mehrere Schwachstellen in Apache Solr ausnutzen, um Sicherheitsvorkehrungen zu umgehen, Daten zu manipulieren und vertrauliche Informationen offenzulegen.",
        "title": "Angriff"
      },
      {
        "category": "general",
        "text": "- Sonstiges\n- UNIX",
        "title": "Betroffene Betriebssysteme"
      }
    ],
    "publisher": {
      "category": "other",
      "contact_details": "csaf-provider@cert-bund.de",
      "name": "Bundesamt f\u00fcr Sicherheit in der Informationstechnik",
      "namespace": "https://www.bsi.bund.de"
    },
    "references": [
      {
        "category": "self",
        "summary": "WID-SEC-W-2026-0182 - CSAF Version",
        "url": "https://wid.cert-bund.de/.well-known/csaf/white/2026/wid-sec-w-2026-0182.json"
      },
      {
        "category": "self",
        "summary": "WID-SEC-2026-0182 - Portal Version",
        "url": "https://wid.cert-bund.de/portal/wid/securityadvisory?name=WID-SEC-2026-0182"
      },
      {
        "category": "external",
        "summary": "Apache Mailing List vom 2026-01-20",
        "url": "https://lists.apache.org/thread/q5ckz3p0x0jgqdtqfo0kqp936zvdb5on"
      },
      {
        "category": "external",
        "summary": "OSS Security Mailing List vom 2026-01-20",
        "url": "https://seclists.org/oss-sec/2026/q1/91"
      },
      {
        "category": "external",
        "summary": "OSS Security Mailing List vom 2026-01-20",
        "url": "https://seclists.org/oss-sec/2026/q1/92"
      },
      {
        "category": "external",
        "summary": "Apache Mailing List vom 2026-01-20",
        "url": "https://lists.apache.org/thread/py5qp5kx2ovj943cpoctcfd0p2tonkjc"
      }
    ],
    "source_lang": "en-US",
    "title": "Apache Solr: Mehrere Schwachstellen",
    "tracking": {
      "current_release_date": "2026-01-21T23:00:00.000+00:00",
      "generator": {
        "date": "2026-01-22T08:14:31.749+00:00",
        "engine": {
          "name": "BSI-WID",
          "version": "1.5.0"
        }
      },
      "id": "WID-SEC-W-2026-0182",
      "initial_release_date": "2026-01-20T23:00:00.000+00:00",
      "revision_history": [
        {
          "date": "2026-01-20T23:00:00.000+00:00",
          "number": "1",
          "summary": "Initiale Fassung"
        },
        {
          "date": "2026-01-21T23:00:00.000+00:00",
          "number": "2",
          "summary": "Referenz(en) aufgenommen: EUVD-2026-3665, EUVD-2026-3666"
        }
      ],
      "status": "final",
      "version": "2"
    }
  },
  "product_tree": {
    "branches": [
      {
        "branches": [
          {
            "branches": [
              {
                "category": "product_version_range",
                "name": "\u003c9.10.1",
                "product": {
                  "name": "Apache Solr \u003c9.10.1",
                  "product_id": "T050242"
                }
              },
              {
                "category": "product_version",
                "name": "9.10.1",
                "product": {
                  "name": "Apache Solr 9.10.1",
                  "product_id": "T050242-fixed",
                  "product_identification_helper": {
                    "cpe": "cpe:/a:apache:solr:9.10.1"
                  }
                }
              }
            ],
            "category": "product_name",
            "name": "Solr"
          }
        ],
        "category": "vendor",
        "name": "Apache"
      }
    ]
  },
  "vulnerabilities": [
    {
      "cve": "CVE-2026-22022",
      "product_status": {
        "known_affected": [
          "T050242"
        ]
      },
      "release_date": "2026-01-20T23:00:00.000+00:00",
      "title": "CVE-2026-22022"
    },
    {
      "cve": "CVE-2026-22444",
      "product_status": {
        "known_affected": [
          "T050242"
        ]
      },
      "release_date": "2026-01-20T23:00:00.000+00:00",
      "title": "CVE-2026-22444"
    }
  ]
}

Sightings

Author	Source	Type	Date

Nomenclature

Seen: The vulnerability was mentioned, discussed, or observed by the user.
Confirmed: The vulnerability has been validated from an analyst's perspective.
Published Proof of Concept: A public proof of concept is available for this vulnerability.
Exploited: The vulnerability was observed as exploited by the user who reported the sighting.
Patched: The vulnerability was observed as successfully patched by the user who reported the sighting.
Not exploited: The vulnerability was not observed as exploited by the user who reported the sighting.
Not confirmed: The user expressed doubt about the validity of the vulnerability.
Not patched: The vulnerability was not observed as successfully patched by the user who reported the sighting.

Detection rules are retrieved from Rulezet.

Action not permitted

CVE-2026-22022 (GCVE-0-2026-22022)

FKIE_CVE-2026-22022

GHSA-QR3P-2XJ2-Q7HQ

WID-SEC-W-2026-0182

Tags

Sightings

Nomenclature