Description
The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1.
Published: 2026-05-27
Score: 9.8 Critical
EPSS: < 1% Very Low
KEV: No
Impact: n/a
Action: n/a
AI Analysis

Impact

The vulnerability permits unauthenticated network clients to send any Solr streaming expression to the REST endpoint POST /api/v1/index/stream, which then forwards the expression directly to the Solr backend without any access control. The attacker can therefore read the entire Solr index and, for default Solr deployments, modify or delete indexed records. This grants a breach of confidentiality, integrity, and potentially availability of the digitised material repository, classification as CWE‑306.

Affected Systems

The issue is present in Intranda Goobi Viewer core versions starting from 4.8.0 up through any build before 26.04.1. Systems running the impacted versions with an unprotected Solr instance expose all indexed content to unauthenticated users. Default Solr setups are especially vulnerable because they lack authentication or fine‑grained access controls.

Risk and Exploitability

The CVSS score of 9.8 classifies this as a critical vulnerability. No EPSS score is published, but the lack of authentication and the direct forwarding of arbitrary expressions make exploitation straightforward for anyone with network access to the application. The vulnerability is not yet listed in the CISA KEV catalog, though the exploitation probability is effectively high once the affected application and Solr are publicly reachable.

Generated by OpenCVE AI on May 27, 2026 at 22:24 UTC.

Remediation

No vendor fix or workaround currently provided.

OpenCVE Recommended Actions

  • Upgrade Intranda Goobi Viewer core to version 26.04.1 or newer.
  • If upgrade is not immediately possible, disable or remove the POST /api/v1/index/stream endpoint from the application or block it at the firewall level.
  • Add authentication requirements to the endpoint or restrict Solr to authenticated access only, ensuring any Solr side controls are applied.

Generated by OpenCVE AI on May 27, 2026 at 22:24 UTC.

Tracking

Sign in to view the affected projects.

Advisories
Source ID Title
Github GHSA Github GHSA GHSA-2rgp-f66f-4499 Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy
History

Thu, 28 May 2026 13:30:00 +0000

Type Values Removed Values Added
Metrics ssvc

{'options': {'Automatable': 'yes', 'Exploitation': 'none', 'Technical Impact': 'total'}, 'version': '2.0.3'}

Thu, 28 May 2026 01:45:00 +0000

Type Values Removed Values Added
First Time appeared Intranda
Intranda goobi Viewer Core
Vendors & Products Intranda
Intranda goobi Viewer Core

Wed, 27 May 2026 21:45:00 +0000

Type Values Removed Values Added
Description The Goobi viewer is a web application that allows digitised material to be displayed in a web browser. From 4.8.0 to before 26.04.1, the Goobi viewer REST endpoint POST /api/v1/index/stream accepted an arbitrary Solr streaming expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction. An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records. This vulnerability is fixed in 26.04.1.
Title Goobi viewer: Unauthenticated Solr Streaming Expression Proxy
Weaknesses CWE-306
References
Metrics cvssV3_1

{'score': 9.8, 'vector': 'CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H'}

Subscriptions

Intranda Goobi Viewer Core
cve-icon MITRE

Status: PUBLISHED

Assigner: GitHub_M

Published:

Updated: 2026-05-28T13:04:14.870Z

Reserved: 2026-05-08T18:45:10.097Z

Link: CVE-2026-45083

cve-icon Vulnrichment

Updated: 2026-05-28T13:04:11.525Z

cve-icon NVD

Status : Received

Published: 2026-05-27T22:16:36.820

Modified: 2026-05-27T22:16:36.820

Link: CVE-2026-45083

cve-icon Redhat

No data.

cve-icon OpenCVE Enrichment

Updated: 2026-05-28T01:30:03Z

Weaknesses