View all Vulnerabilities

CVE-2026-22444

Authorization Bypass
Affects
Apache Solr
in
Apache Solr & Lucene
No items found.
Versions
<9.8.0
Exclamation circle icon
Patch Available

This Vulnerability has been fixed in the Never-Ending Support (NES) version offered by HeroDevs.

View NES Solution

Overview

Apache Solr is an open-source search platform built on Apache Lucene, designed for scalable, high-performance search and indexing. It supports full-text search, faceted search, real-time indexing, distributed searching, and high availability. Solr is widely used in applications requiring fast and efficient search capabilities, such as e-commerce, enterprise search, and log analytics. 

A Improper Access Control vulnerability (CVE-2026-22444) has been identified in the FileSystemConfigSetService component. This vulnerability allows attackers to load malicious code as a plugin.

Per the Open Web Application Security Project (OWASP): "Improper Access Control occurs when an application does not properly restrict access to resources or functionality, allowing unauthorized users to perform actions beyond their intended permissions."

This issue affects versions below 9.8.0

Details

Module Info

Vulnerability Info

A security vulnerability has been identified in Apache Solr affecting authorization mechanisms in admin handlers. The flaw involves insufficient file-access checking in standalone core-creation requests, which could allow unauthorized operations. The fix includes security patches to SchemaHandler, SolrConfigHandler, and other admin handlers with enhanced permission validation and HTTP method checking.

To mitigate this risk, users should ensure authentication and authorization are enabled and that admin handlers are properly secured. The fix addresses path and permission related NPEs and includes comprehensive security tests.

Mitigation

Apache Solr versions below or equal to 8.11.4 are no longer community-supported. The community support version will not receive any updates to address this issue. For more information, see here.

Users of the affected components should apply one of the following mitigations:

  • Upgrade Apache Solr to >=9.8.0
  • Leverage a commercial support partner like HeroDevs for post-EOL

Credits

  • Damon Toey

Pink arrow
Pink arrow
CVE-2024-45772
CVE-2024-52012
CVE-2025-24814
CVE-2026-22444
CVE-2026-22022
What is a HeroDevs Security Advisory?
Vulnerability Details
Severity
Level
CVSS Assessment
Low
>=0 <4
Medium
>=4 <6
High
>=6 <8
Critical
>=8 <10
Medium
ID
CVE-2026-22444
PROJECT Affected
Apache Solr
Versions Affected
<9.8.0
NES Versions Affected
Published date
March 12, 2026
≈ Fix date
February 3, 2026
Fixed in
NES for Apache Solr & Lucene
Category
Authorization Bypass
Vex Document
Download VEXHow do I use it?
Sign up for the latest vulnerability alerts fixed in
NES for Apache Solr & Lucene
Rss feed icon
Subscribe via RSS
or

By clicking “submit” I acknowledge receipt of our Privacy Policy.

Thanks for signing up for our Newsletter! We look forward to connecting with you.
Oops! Something went wrong while submitting the form.