CVE-2026-44825 Apache Software Foundation CVE debrief

Who should care

Organizations running Apache Solr 9.4.0–9.10.1 or 10.0.0 that used bin/solr auth enable to configure Basic Authentication. Cloud environments and multi-tenant deployments with Solr exposed to broader networks face elevated risk of unauthorized cluster compromise.

Technical summary

The bin/solr auth enable utility in affected Apache Solr versions creates template user accounts (superadmin, admin, search, index) with hardcoded, publicly known passwords during BasicAuth bootstrap. These accounts are installed silently without explicit administrator acknowledgment. Because the credentials are default and documented, any remote attacker who can reach the Solr cluster's authentication endpoint can authenticate as any of these template users and obtain full administrative privileges. The vulnerability is contingent on use of the affected setup tool; clusters with manually configured BasicAuth or clusters where template passwords were changed post-bootstrap are not affected.

Defensive priority

HIGH

Recommended defensive actions

• If bin/solr auth enable was used to configure BasicAuth, immediately delete the template users (superadmin, admin, search, index) from security.json or change their passwords to strong, unique values
• Upgrade to Apache Solr 9.11.0 or 10.1.0 when available, as these versions will not contain the hardcoded credentials
• Audit security.json for any remaining default or weak credentials across all Solr nodes
• Review access logs for unauthorized authentication attempts using known template usernames
• Restrict network access to Solr administrative interfaces to trusted hosts where possible

Evidence notes

CVE published 2026-06-01. CVSS 3.1 score 8.1 (HIGH). CWE-798 (Use of Hard-coded Credentials) and CWE-1188 (Insecure Default Initialization of Resource) identified. Apache security mailing list reference confirms vendor disclosure.

Official resources