CVE-2026-44825
Severity CVSS v4.0:
Pending analysis
Type:
CWE-798
Use of Hard-coded Credentials
Publication date:
01/06/2026
Last modified:
01/06/2026
Description
Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. <br />
<br />
As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords.<br />
The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.<br />
<br />
Not affected:<br />
* Clusters where bin/solr auth enable was not used to bootstrap BasicAuth<br />
* Clusters where template users have been assigned strong passwords after bootstrap
Impact
Base Score 3.x
8.10
Severity 3.x
HIGH
Vulnerable products and versions
| CPE | From | Up to |
|---|---|---|
| cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:* | 9.4.0 (including) | 9.10.1 (including) |
| cpe:2.3:a:apache:solr:10.0.0:*:*:*:*:*:*:* |
To consult the complete list of CPE names with products and versions, see this page



