PatchSiren cyber security CVE debrief
CVE-2026-45083 intranda CVE debrief
The Goobi viewer, a web application for displaying digitized material, contains a critical unauthenticated remote code execution vulnerability in versions 4.8.0 through 26.04.0. The REST endpoint POST /api/v1/index/stream accepts arbitrary Solr streaming expressions from unauthenticated network clients and forwards them directly to the backend Solr server without validation or restriction. This allows attackers to read the complete Solr index and, in default Solr configurations, modify or delete indexed records. The vulnerability stems from missing authentication controls (CWE-306) on a sensitive administrative interface. The CVSS 3.1 score of 9.8 reflects network attackability, low complexity, no privileges required, and high impacts to confidentiality, integrity, and availability. The vendor has released version 26.04.1 to address this issue. Two commits are referenced as remediation: 326980f24ce1e7cfabf658dd5f615934ca68ebbd and 6bfb1cbd4250b0b347e84a80f38e8bf46acac705. Organizations should upgrade immediately and verify that Solr streaming expressions are not exposed to unauthenticated users.
- Vendor
- intranda
- Product
- goobi-viewer-core
- CVSS
- CRITICAL 9.8
- CISA KEV
- Not listed in stored evidence
- Original CVE published
- 2026-05-27
- Original CVE updated
- 2026-05-27
- Advisory published
- 2026-05-27
- Advisory updated
- 2026-05-27
Who should care
Organizations operating Goobi viewer digital library installations, particularly those with public-facing instances. Security teams responsible for Solr infrastructure and digital asset management platforms. Developers maintaining Goobi viewer deployments or forked implementations.
Technical summary
The Goobi viewer versions 4.8.0 through 26.04.0 expose a REST endpoint at POST /api/v1/index/stream that accepts arbitrary Solr streaming expressions without authentication. These expressions are forwarded directly to the backend Solr server, allowing unauthenticated network attackers to execute arbitrary streaming operations. In default Solr deployments, this enables reading the entire index (information disclosure) and modifying or deleting indexed records (integrity and availability impact). The vulnerability is classified as CWE-306 (Missing Authentication for Critical Function). The vendor has patched this in version 26.04.1 via commits 326980f24ce1e7cfabf658dd5f615934ca68ebbd and 6bfb1cbd4250b0b347e84a80f38e8bf46acac705.
Defensive priority
critical
Recommended defensive actions
- Upgrade Goobi viewer to version 26.04.1 or later immediately
- Review Solr server configuration to ensure streaming expressions are restricted to authenticated administrative users
- Audit Solr index access logs for unauthorized streaming expression execution between 2026-05-27 and patch deployment
- Implement network segmentation to limit Solr server exposure to Goobi viewer application tier only
- Verify that no additional endpoints accept raw Solr expressions without authentication
Evidence notes
CVE description confirms unauthenticated POST to /api/v1/index/stream accepts arbitrary Solr streaming expressions. CVSS 3.1 vector AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H supports critical severity. GitHub Security Advisory GHSA-2rgp-f66f-4499 and two commits (326980f24ce1e7cfabf658dd5f615934ca68ebbd, 6bfb1cbd4250b0b347e84a80f38e8bf46acac705) document the fix in version 26.04.1. CWE-306 (Missing Authentication for Critical Function) is the primary weakness classification.
Official resources
2026-05-27