CVE-2026-44825
Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-798
Credenciales embebidas en el software
Fecha de publicación:
01/06/2026
Última modificación:
01/06/2026
Descripción
*** Pendiente de traducción *** Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. <br />
<br />
As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords.<br />
The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.<br />
<br />
Not affected:<br />
* Clusters where bin/solr auth enable was not used to bootstrap BasicAuth<br />
* Clusters where template users have been assigned strong passwords after bootstrap
Impacto
Puntuación base 3.x
8.10
Gravedad 3.x
ALTA
Productos y versiones vulnerables
| CPE | Desde | Hasta |
|---|---|---|
| cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:* | 9.4.0 (incluyendo) | 9.10.1 (incluyendo) |
| cpe:2.3:a:apache:solr:10.0.0:*:*:*:*:*:*:* |
Para consultar la lista completa de nombres de CPE con productos y versiones, ver esta página



