CVE-2026-44825: 
Apache Solr Analisi e mitigazione delle vulnerabilità

CVE-2026-44825 is a hardcoded credentials vulnerability in Apache Solr's Basic Authentication setup tool (bin/solr auth enable) that allows unauthenticated remote attackers to gain full administrative access to affected clusters. It affects Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0. The vulnerability was discovered by Naveen Sunkavally of Horizon3.ai and disclosed on May 29, 2026, with NVD publication on June 1, 2026. It carries a CVSS v3.1 base score of 9.8 (Critical) per NVD, and 8.1 (High) per the GitHub Advisory Database (GitHub Advisory, Openwall OSS-Sec).

The root cause is classified as CWE-798 (Use of Hard-coded Credentials) and CWE-1188 (Insecure Default Initialization of Resource). When an administrator runs bin/solr auth enable to bootstrap Basic Authentication, the tool silently installs four template user accounts — superadmin, admin, search, and index — with publicly known default credentials in security.json, alongside the user-specified account. An attacker with network access to the Solr cluster can authenticate using these well-known credentials without any prior knowledge of the environment. The issue is tracked as SOLR-18233 (Openwall OSS-Sec, GitHub Advisory).

Successful exploitation grants an unauthenticated remote attacker full administrative (superadmin) privileges over the Apache Solr cluster, enabling complete read, modification, or deletion of all indexed data. The attacker can also reconfigure the cluster, add or remove nodes, modify access controls, and potentially pivot to other systems that trust the Solr instance. All three pillars of security — confidentiality, integrity, and availability — are fully compromised (GitHub Advisory, Openwall OSS-Sec).

The Apache Software Foundation advises upgrading to Apache Solr versions 9.11.0 or 10.1.0 once released, as these versions will not include the insecure template users. As an immediate workaround without upgrading, administrators should delete the four template user accounts (superadmin, admin, search, index) from security.json, or change their passwords to strong, unique values. Clusters that did not use bin/solr auth enable to bootstrap BasicAuth, or where template user passwords were already changed after bootstrap, are not affected (Openwall OSS-Sec, GitHub Advisory).

The vulnerability was publicly disclosed by Jan Høydahl of the Apache Solr project via the oss-security mailing list on May 29, 2026, crediting Naveen Sunkavally of Horizon3.ai as the finder (Openwall OSS-Sec). Horizon3.ai published a dedicated vulnerability research page, and security news outlets including SecurityOnline.info and CyCognito covered the issue shortly after disclosure (Horizon3.ai). The CISA vulnerability bulletin for the week of June 1, 2026 included this CVE, and community discussion was observed on Bluesky and Mastodon/infosec.exchange.