View all Vulnerabilities

CVE-2026-22022

Authorization Bypass
Affects
Apache Solr
in
Apache Solr & Lucene
No items found.
Versions
<9.8.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Apache Solr is an open-source search platform built on Apache Lucene, designed for scalable, high-performance search and indexing. It supports full-text search, faceted search, real-time indexing, distributed searching, and high availability. Solr is widely used in applications requiring fast and efficient search capabilities, such as e-commerce, enterprise search, and log analytics. 

An Improper Authorization vulnerability (CVE-2026-22022) has been identified in the FileSystemConfigSetService component. This vulnerability allows attackers to load malicious code as a plugin.

Per the Open Web Application Security Project (OWASP): "Improper Authorization occurs when an application fails to properly enforce access control policies, allowing users to bypass permission rules and perform actions they should not be authorized to execute."

This issue affects versions below 9.8.0

Details

Module Info

Vulnerability Info

A security vulnerability has been identified in Apache Solr's RuleBasedAuthorizationPlugin. The flaw allows unauthorized bypass of certain predefined permission rules, enabling access control issues in admin handlers. Attackers could exploit this to perform unauthorized operations that should be restricted by the authorization plugin's rule configuration.

To mitigate this risk, users should ensure the RuleBasedAuthorizationPlugin is properly configured with comprehensive permission rules and that admin handler access is appropriately restricted.

Mitigation

Apache Solr versions below or equal to 8.11.4 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade Apache Solr to >=9.8.0
  • Leverage a commercial support partner like HeroDevs for post-EO

Credits

  • monkeontheroof
Pink arrow
Pink arrow
CVE-2024-45772
CVE-2024-52012
CVE-2025-24814
CVE-2026-22444
CVE-2026-22022
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-22022
PROJECT Affected
Apache Solr
Versions Affected
<9.8.0
NES Versions Affected
Published date
March 13, 2026
≈ Fix date
February 3, 2026
Fixed in
NES for Apache Solr & Lucene
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Apache Solr & Lucene
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.