Description
Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.  Only deployments that meet all of the following criteria are impacted by this vulnerability:

* Use of Solr's "RuleBasedAuthorizationPlugin"
* A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles"
* A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read".
* A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission
* A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway)

Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role.  Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.
Published: 2026-01-21
Score: 8.2 High
EPSS: < 1% Very Low
KEV: No
Impact: Unauthorized Access to Solr APIs
Action: Patch/Upgrade
AI Analysis

Impact

The vulnerability exists in Apache Solr’s RuleBasedAuthorizationPlugin where insufficiently strict input validation allows users to bypass certain predefined permission rules and access Solr APIs such as configuration reading, configuration editing, schema reading, metrics reading, or security reading. This can lead to unauthorized manipulation or disclosure of configuration, schema, and monitoring data, compromising the confidentiality and integrity of the Solr instance. Only deployments that satisfy all of the following: use of RuleBasedAuthorizationPlugin, a configuration specifying multiple roles, a permission list containing one or more of the listed predefined rules, no "all" permission, and an open network path for client requests, are affected.

Affected Systems

Deployments of Apache Solr versions 5.3.0 through 9.10.0 distributed by the Apache Software Foundation, when the RuleBasedAuthorizationPlugin is enabled with multiple roles and the described permission set, are impacted.

Risk and Exploitability

The CVSS score of 8.2 indicates high severity, while the EPSS score of less than 1% and absence from the KEV catalog suggest a low likelihood of exploitation at present. The event likely involves an attacker sending unfiltered HTTP or HTTPS requests directly to the Solr endpoint; due to the plugin’s validation flaw the attacker can then gain unauthorized access to sensitive APIs. The impact is limited to affected deployments where the described conditions hold true.

Generated by OpenCVE AI on April 18, 2026 at 04:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade to a Solr version outside the impacted range, such as 9.10.1 or later.
  • Add an "all" permission entry to the security.json configuration and associate it with a privileged role such as "admin" to enforce strict authorization.
  • Configure firewalls, reverse proxies, or other network controls to restrict or filter client requests to the Solr endpoint, limiting the surface for this vulnerability.

Generated by OpenCVE AI on April 18, 2026 at 04:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-qr3p-2xj2-q7hq Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin
History

Tue, 27 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache solr
Vendors & Products Apache
Apache solr

Thu, 22 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 21 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 8.2, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Wed, 21 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.  Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role.  Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.
Title Apache Solr: Unauthorized bypass of certain "predefined permission" rules in the RuleBasedAuthorizationPlugin
Weaknesses CWE-285
References

Subscriptions

Apache Solr
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-01-21T15:35:07.116Z

Reserved: 2026-01-05T20:52:03.246Z

Link: CVE-2026-22022

cve-icon Vulnrichment

Updated: 2026-01-21T14:13:29.934Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T14:16:06.573

Modified: 2026-01-27T20:34:13.140

Link: CVE-2026-22022

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-21T13:41:46Z

Links: CVE-2026-22022 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses