Description
The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element .  These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem.  On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. 

Solr deployments are subject to this vulnerability if they meet the following criteria:
* Solr is running in its "standalone" mode.
* Solr's "allowPath" setting is being used to restrict file access to certain directories.
* Solr's "create core" API is exposed and accessible to untrusted users.  This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles.

Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores.  Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue.
Published: 2026-01-21
Score: 7.1 High
EPSS: < 1% Very Low
KEV: No
Impact: Untrusted file access enabling core creation and possible NTLM hash disclosure
Action: Patch
AI Analysis

Impact

The create core API in Apache Solr versions 8.6 through 9.10.0 does not fully validate API parameters, allowing Solr to read file-system paths that should be blocked by the allowPaths setting. This flaw can let an attacker create new core instances using arbitrary config sets that exist on the underlying filesystem, and on Windows systems configured to allow UNC paths it may also expose NTLM "user" hashes as part of read‑only file access. The consequence is that an attacker could expand deployment configuration without proper authorization and potentially obtain sensitive authentication material.

Affected Systems

The vulnerability affects deployments of Apache Solr 8.6 to 9.10.0 that run in standalone mode, employ the allowPaths security setting to restrict file access, and expose the create core API to users who are not fully trusted. Systems that have RuleBasedAuthorizationPlugin disabled or have granted the core‑admin‑edit permission to non‑admin roles are particularly susceptible.

Risk and Exploitability

With a CVSS score of 7.1 the flaw is considered high severity. The EPSS score of less than 1% suggests a low current exploitation probability, and it is not listed in the CISA KEV catalog. The likely attack vector is a remote API request to the core creation endpoint, which, if permitted to an untrusted user, can be abused. Proper authorization controls or disabling the vulnerable API are required to mitigate this risk. The solution is a patch or upgrade to a version where the issue is fixed.

Generated by OpenCVE AI on April 18, 2026 at 04:16 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Apache Solr to version 9.10.1 or newer where the problem is resolved
  • Enable the RuleBasedAuthorizationPlugin and restrict the core-admin-edit permission to trusted administrative roles
  • Verify the allowPaths configuration to ensure it limits file access to intended directories
  • Optionally, block external access to the create core API if the deployment does not require it.

Generated by OpenCVE AI on April 18, 2026 at 04:16 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-vc2w-4v3p-2mqw Apache Solr: Insufficient file-access checking in standalone core-creation requests
History

Tue, 27 Jan 2026 20:45:00 +0000

Type Values Removed Values Added
CPEs cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*

Fri, 23 Jan 2026 16:45:00 +0000

Type Values Removed Values Added
First Time appeared Apache
Apache solr
Vendors & Products Apache
Apache solr

Thu, 22 Jan 2026 00:15:00 +0000

Type Values Removed Values Added
References
Metrics threat_severity

None

 threat_severity

Moderate

Wed, 21 Jan 2026 16:15:00 +0000

Type Values Removed Values Added
Metrics cvssV3_1

{'score': 7.1, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N'}

ssvc

{'options': {'Automatable': 'no', 'Exploitation': 'none', 'Technical Impact': 'partial'}, 'version': '2.0.3'}

Wed, 21 Jan 2026 15:30:00 +0000

Type Values Removed Values Added
References

Wed, 21 Jan 2026 14:00:00 +0000

Type Values Removed Values Added
Description The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element .  These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem.  On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes.  Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users.  This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores.  Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue.
Title Apache Solr: Insufficient file-access checking in standalone core-creation requests
Weaknesses CWE-20
References

Subscriptions

Apache Solr
cve-icon MITRE

Status: PUBLISHED

Assigner: apache

Published:

Updated: 2026-01-21T15:39:04.577Z

Reserved: 2026-01-07T13:29:04.129Z

Link: CVE-2026-22444

cve-icon Vulnrichment

Updated: 2026-01-21T14:13:32.903Z

cve-icon NVD

Status : Analyzed

Published: 2026-01-21T14:16:06.707

Modified: 2026-01-27T20:30:40.703

Link: CVE-2026-22444

cve-icon Redhat

Severity : Moderate

Publid Date: 2026-01-21T13:40:24Z

Links: CVE-2026-22444 - Bugzilla

cve-icon OpenCVE Enrichment

Updated: 2026-04-18T04:30:35Z

Weaknesses