CVE-2026-44825

Severity CVSS v4.0:
Pending analysis
Type:
CWE-798 Use of Hard-coded Credentials
Publication date:
01/06/2026
Last modified:
01/06/2026

Description

Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. <br /> <br /> As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords.<br /> The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.<br /> <br /> Not affected:<br /> * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth<br /> * Clusters where template users have been assigned strong passwords after bootstrap

Vulnerable products and versions

CPE From Up to
cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:* 9.4.0 (including) 9.10.1 (including)
cpe:2.3:a:apache:solr:10.0.0:*:*:*:*:*:*:*