Instituto Nacional de ciberseguridad. Sección Incibe
Instituto Nacional de Ciberseguridad. Sección INCIBE-CERT

CVE-2026-44825

Gravedad CVSS v3.1:
ALTA
Tipo:
CWE-798 Credenciales embebidas en el software
Fecha de publicación:
01/06/2026
Última modificación:
01/06/2026

Descripción

*** Pendiente de traducción *** Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. <br /> <br /> As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords.<br /> The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.<br /> <br /> Not affected:<br /> * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth<br /> * Clusters where template users have been assigned strong passwords after bootstrap

Productos y versiones vulnerables

CPE Desde Hasta
cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:* 9.4.0 (incluyendo) 9.10.1 (incluyendo)
cpe:2.3:a:apache:solr:10.0.0:*:*:*:*:*:*:*