CVE-2026-44825: 
Apache Solr 취약성 분석 및 완화

CVE-2026-44825 is a hardcoded credentials vulnerability in Apache Solr's Basic Authentication setup tool (bin/solr auth enable) that allows unauthenticated remote attackers to gain full administrative access to affected clusters. It affects Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0. The vulnerability was discovered by Naveen Sunkavally of Horizon3.ai and disclosed on May 29, 2026, with NVD publication on June 1, 2026. It carries a CVSS v3.1 base score of 9.8 (Critical) per NVD, and 8.1 (High) per the GitHub Advisory Database (GitHub Advisory, Openwall OSS-Sec).

The root cause is classified as CWE-798 (Use of Hard-coded Credentials) and CWE-1188 (Insecure Default Initialization of Resource). When an administrator runs bin/solr auth enable to bootstrap Basic Authentication, the tool silently installs four template user accounts — superadmin, admin, search, and index — with publicly known default credentials in security.json, alongside the user-specified account. An attacker with network access to the Solr cluster can authenticate using these well-known credentials without any prior knowledge of the environment. The issue is tracked as SOLR-18233 (Openwall OSS-Sec, GitHub Advisory).

Successful exploitation grants an unauthenticated remote attacker full administrative (superadmin) privileges over the Apache Solr cluster, enabling complete read, modification, or deletion of all indexed data. The attacker can also reconfigure the cluster, add or remove nodes, modify access controls, and potentially pivot to other systems that trust the Solr instance. All three pillars of security — confidentiality, integrity, and availability — are fully compromised (GitHub Advisory, Openwall OSS-Sec).

1. Reconnaissance: Identify internet-facing Apache Solr instances running versions 9.4.0–9.10.1 or 10.0.0 using tools like Shodan or Censys, searching for the Solr admin UI (default port 8983).
2. Verify BasicAuth is enabled: Attempt to access the Solr Admin UI or API endpoint (e.g., http://<target>:8983/solr/admin/info/system). If a 401 Unauthorized response with a WWW-Authenticate: Basic header is returned, BasicAuth is active.
3. Attempt default credentials: Try authenticating with the known template user accounts — superadmin, admin, search, or index — using their publicly known default passwords against the Solr API or Admin UI.
4. Confirm administrative access: Upon successful authentication, verify superadmin privileges by querying http://<target>:8983/solr/admin/authentication or accessing cluster management endpoints.
5. Achieve objective: With full administrative access, exfiltrate indexed data, modify or delete collections, alter security configurations (e.g., add a new backdoor admin account), or disrupt cluster availability (Openwall OSS-Sec, GitHub Advisory).

• Network: Unexpected successful HTTP 200 responses to Solr API endpoints (e.g., /solr/admin/, /solr/admin/authentication, /solr/admin/collections) authenticated with usernames superadmin, admin, search, or index; unusual inbound connections to port 8983 from external or unexpected IP addresses.
• Logs: Solr access logs (solr.log) showing successful authentication events for the template usernames (superadmin, admin, search, index) from unfamiliar source IPs; repeated authentication attempts against these accounts.
• File System: Presence of security.json in the Solr configuration directory containing entries for superadmin, admin, search, or index users with default/weak password hashes; unexpected modifications to security.json (e.g., new admin accounts added).
• Application: New collections created, existing collections deleted, or security configuration changes (new users, modified roles) not initiated by known administrators, visible via the Solr Admin UI or Collections API.

The Apache Software Foundation advises upgrading to Apache Solr versions 9.11.0 or 10.1.0 once released, as these versions will not include the insecure template users. As an immediate workaround without upgrading, administrators should delete the four template user accounts (superadmin, admin, search, index) from security.json, or change their passwords to strong, unique values. Clusters that did not use bin/solr auth enable to bootstrap BasicAuth, or where template user passwords were already changed after bootstrap, are not affected (Openwall OSS-Sec, GitHub Advisory).

The vulnerability was publicly disclosed by Jan Høydahl of the Apache Solr project via the oss-security mailing list on May 29, 2026, crediting Naveen Sunkavally of Horizon3.ai as the finder (Openwall OSS-Sec). Horizon3.ai published a dedicated vulnerability research page, and security news outlets including SecurityOnline.info and CyCognito covered the issue shortly after disclosure (Horizon3.ai). The CISA vulnerability bulletin for the week of June 1, 2026 included this CVE, and community discussion was observed on Bluesky and Mastodon/infosec.exchange.