CVE-2026-44825 - Vulnerability Details

- Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users

Description

Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account.

As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords.
The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.

Not affected:
* Clusters where bin/solr auth enable was not used to bootstrap BasicAuth
* Clusters where template users have been assigned strong passwords after bootstrap

Published: 2026-06-01

Score: 8.1 High

EPSS: n/a

KEV: No

Impact:

Action:

Analysis

Impact

Hardcoded default credentials are silently created when the bin/solr auth enable command is run, giving any user that knows the preset usernames and passwords full administrative control of an Apache Solr cluster. This allows a remote attacker to modify configuration, access all indexes, and potentially exfiltrate data or disrupt service. The weakness is a form of insecure default configuration, identified by CWE‑1188 and CWE‑798.

Affected Systems

Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 are affected. Clusters that never used the BasicAuth bootstrap tool or that replaced the template users with strong passwords after bootstrap are not vulnerable.

Risk and Exploitability

The CVSS score of 8.1 indicates high severity and the vulnerability can be triggered remotely via the public endpoint used for BasicAuth configuration. No EPSS score is reported and the issue is not listed in CISA's KEV catalog, yet the presence of well‐known default credentials means an attacker can exploit it with minimal effort if the cluster is exposed to the network. The likely attack vector is a remote network request that activates the basic authentication setup, allowing the attacker to gain administrative privileges.

Default status is the baseline for the product, each version can override it (e.g. patched versions marked unaffected).

Vendor Product Default status Versions

Apache Software Foundation

Apache Solr

unaffected

Version	Status	Constraints
`9.4.0`	affected	≤ 9.10.1
`10.0.0`	affected	—

No data.

No data available yet.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

Upgrade Apache Solr to version 9.11.0 or later 10.1.0 or higher to eliminate the flaw
Delete the template users (superadmin, admin, search, index) from security.json or change their passwords to strong values
Verify that BasicAuth was not enabled during cluster bootstrap or that custom users have secure passwords

Generated by OpenCVE AI on June 1, 2026 at 10:25 UTC.

Tracking

Sign in to view the affected projects.

Advisories

No advisories yet.

No CVSS v4.0

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

No CVSS v3.0

No CVSS v2

This CVE is not in the KEV list.

No EPSS score available.

Key SSVC decision points have not yet been added.

References

Link	Providers
https://lists.apache.org/thread/5xg6xr99glocp3zsg9ht2zlbwlrst7ch

History

Mon, 01 Jun 2026 09:15:00 +0000

Type	Values Removed	Values Added
Description		Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue. Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap
Title		Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users
Weaknesses		CWE-1188 CWE-798
References		https://lists.apache.org/thread/5xg6xr99glocp3zsg9ht2zlbwlrst7ch
Metrics		cvssV3_1 `{'score': 8.1, 'vector': 'CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H'}`

Subscriptions

No data.

MITRE

Status: PUBLISHED

Assigner: apache

Published: 2026-06-01T08:02:15.120Z

Updated: 2026-06-01T09:52:40.723Z

Reserved: 2026-05-07T20:29:03.792Z

Link: CVE-2026-44825

Vulnrichment

No data.

NVD

Status : Received

Published: 2026-06-01T09:16:19.267

Modified: 2026-06-01T09:16:19.267

Link: CVE-2026-44825

Redhat

No data.

OpenCVE Enrichment

Updated: 2026-06-01T10:30:26Z

Weaknesses

Impact

Affected Systems

Risk and Exploitability

Tracking

Attack Vector Network

Attack Complexity High

Privileges Required None

Scope Unchanged

Confidentiality Impact High

Integrity Impact High

Availability Impact High

User Interaction None

Subscriptions

JSON object

JSON object

JSON object

JSON object

JSON object