CVE-2026-22444: CWE-20 Improper Input Validation in Apache Software Foundation Apache Solr
The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue.
AI Analysis
Technical Summary
CVE-2026-22444 is a security vulnerability affecting Apache Solr versions 8.6 through 9.10.0, stemming from improper input validation (CWE-20) in the 'create core' API. Solr's 'allowPaths' setting is designed to restrict filesystem access to specific directories, preventing unauthorized reading of files. However, due to insufficient validation of API parameters, attackers can manipulate the 'create core' API to cause Solr to check and read filesystem paths outside the allowed directories. This can result in the creation of Solr cores using unexpected configuration sets accessible on the filesystem, potentially exposing sensitive data or configurations. On Windows systems configured to allow UNC paths, this vulnerability can lead to the disclosure of NTLM user hashes, which attackers could use for credential theft or lateral movement. The vulnerability is exploitable only if Solr is running in standalone mode, the 'allowPath' restriction is in place, and the 'create core' API is exposed to untrusted users—often due to disabled or misconfigured RuleBasedAuthorizationPlugin permissions. No known exploits are currently reported in the wild. The Apache Software Foundation has addressed this issue in Solr version 9.10.1 and later, recommending users to upgrade and properly configure authorization controls to prevent unauthorized core creation.
Potential Impact
For European organizations, this vulnerability poses significant risks including unauthorized access to sensitive filesystem data and potential exposure of NTLM hashes on Windows-based Solr deployments. This can lead to data confidentiality breaches, unauthorized configuration changes, and facilitate lateral movement within corporate networks. Organizations relying on Solr for search and indexing services, especially those exposing the 'create core' API without strict access controls, may face operational disruptions and increased risk of compromise. The exposure of NTLM hashes is particularly concerning in environments where Windows authentication is prevalent, as it can enable attackers to escalate privileges or move laterally. Given the widespread use of Apache Solr in enterprise search applications across Europe, the vulnerability could impact sectors such as finance, government, healthcare, and telecommunications, where sensitive data is indexed and searched. Failure to mitigate this vulnerability could also affect compliance with European data protection regulations like GDPR due to potential unauthorized data access.
Mitigation Recommendations
European organizations should immediately verify if their Apache Solr deployments are running versions 8.6 through 9.10.0 and assess whether the 'create core' API is exposed to untrusted users. They must enable and properly configure the RuleBasedAuthorizationPlugin to restrict 'core-admin-edit' or equivalent permissions exclusively to trusted administrative roles, preventing unauthorized core creation. Upgrading to Apache Solr version 9.10.1 or later is critical to apply the official fix. Additionally, organizations should audit their 'allowPaths' settings to ensure they are correctly restricting filesystem access and review network exposure of Solr APIs, ideally limiting access via firewall rules or VPNs. On Windows systems, disabling UNC path support where not required or applying additional network segmentation can reduce the risk of NTLM hash exposure. Regular monitoring and logging of Solr API usage should be implemented to detect anomalous core creation attempts. Finally, organizations should conduct penetration testing and vulnerability scanning focused on Solr instances to confirm the absence of this vulnerability post-mitigation.
Affected Countries
Germany, France, United Kingdom, Netherlands, Italy, Spain, Sweden, Belgium, Poland, Switzerland
CVE-2026-22444: CWE-20 Improper Input Validation in Apache Software Foundation Apache Solr
Description
The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue.
AI-Powered Analysis
Technical Analysis
CVE-2026-22444 is a security vulnerability affecting Apache Solr versions 8.6 through 9.10.0, stemming from improper input validation (CWE-20) in the 'create core' API. Solr's 'allowPaths' setting is designed to restrict filesystem access to specific directories, preventing unauthorized reading of files. However, due to insufficient validation of API parameters, attackers can manipulate the 'create core' API to cause Solr to check and read filesystem paths outside the allowed directories. This can result in the creation of Solr cores using unexpected configuration sets accessible on the filesystem, potentially exposing sensitive data or configurations. On Windows systems configured to allow UNC paths, this vulnerability can lead to the disclosure of NTLM user hashes, which attackers could use for credential theft or lateral movement. The vulnerability is exploitable only if Solr is running in standalone mode, the 'allowPath' restriction is in place, and the 'create core' API is exposed to untrusted users—often due to disabled or misconfigured RuleBasedAuthorizationPlugin permissions. No known exploits are currently reported in the wild. The Apache Software Foundation has addressed this issue in Solr version 9.10.1 and later, recommending users to upgrade and properly configure authorization controls to prevent unauthorized core creation.
Potential Impact
For European organizations, this vulnerability poses significant risks including unauthorized access to sensitive filesystem data and potential exposure of NTLM hashes on Windows-based Solr deployments. This can lead to data confidentiality breaches, unauthorized configuration changes, and facilitate lateral movement within corporate networks. Organizations relying on Solr for search and indexing services, especially those exposing the 'create core' API without strict access controls, may face operational disruptions and increased risk of compromise. The exposure of NTLM hashes is particularly concerning in environments where Windows authentication is prevalent, as it can enable attackers to escalate privileges or move laterally. Given the widespread use of Apache Solr in enterprise search applications across Europe, the vulnerability could impact sectors such as finance, government, healthcare, and telecommunications, where sensitive data is indexed and searched. Failure to mitigate this vulnerability could also affect compliance with European data protection regulations like GDPR due to potential unauthorized data access.
Mitigation Recommendations
European organizations should immediately verify if their Apache Solr deployments are running versions 8.6 through 9.10.0 and assess whether the 'create core' API is exposed to untrusted users. They must enable and properly configure the RuleBasedAuthorizationPlugin to restrict 'core-admin-edit' or equivalent permissions exclusively to trusted administrative roles, preventing unauthorized core creation. Upgrading to Apache Solr version 9.10.1 or later is critical to apply the official fix. Additionally, organizations should audit their 'allowPaths' settings to ensure they are correctly restricting filesystem access and review network exposure of Solr APIs, ideally limiting access via firewall rules or VPNs. On Windows systems, disabling UNC path support where not required or applying additional network segmentation can reduce the risk of NTLM hash exposure. Regular monitoring and logging of Solr API usage should be implemented to detect anomalous core creation attempts. Finally, organizations should conduct penetration testing and vulnerability scanning focused on Solr instances to confirm the absence of this vulnerability post-mitigation.
Technical Details
- Data Version
- 5.2
- Assigner Short Name
- apache
- Date Reserved
- 2026-01-07T13:29:04.129Z
- Cvss Version
- null
- State
- PUBLISHED
Threat ID: 6970dd444623b1157cd11f84
Added to database: 1/21/2026, 2:05:56 PM
Last enriched: 1/21/2026, 2:20:20 PM
Last updated: 2/7/2026, 6:00:33 AM
Views: 129
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Related Threats
CVE-2025-15267: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in boldthemes Bold Page Builder
MediumCVE-2025-13463: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in boldthemes Bold Page Builder
MediumCVE-2025-12803: CWE-80 Improper Neutralization of Script-Related HTML Tags in a Web Page (Basic XSS) in boldthemes Bold Page Builder
MediumCVE-2025-12159: CWE-79 Improper Neutralization of Input During Web Page Generation ('Cross-site Scripting') in boldthemes Bold Page Builder
MediumCVE-2026-2075: Improper Access Controls in yeqifu warehouse
MediumActions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
Need more coverage?
Upgrade to Pro Console in Console -> Billing for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.