CVE-2026-44825: Apache Solr Hardcoded Credentials Remote Admin Access
Apache Solr's authentication setup tool comes with hardcoded default credentials that are silently installed in addition to any user-specified accounts. A remote attacker who knows these public defaults can bypass the security layer entirely and gain full administrative control of the Solr cluster. This affects versions 9.4.0 through 9.10.1 and 10.0.0, but only if the basic authentication setup tool was used during cluster initialization.
Source data · NVD / CISA · public domain
- CVSS
- 3.1 · 8.1 HIGH · CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
- Weaknesses (CWE)
- CWE-1188, CWE-798
- Affected products
- 2 configuration(s)
- Published / Modified
- 2026-06-01 / 2026-06-17
NVD description (verbatim)
Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue. Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap
2 reference(s) · View on NVD →
SEC.co analysis · AI-assisted, reviewed against source
Technical summary
CVE-2026-44825 exists in the bin/solr auth enable bootstrap utility, which configures basic authentication for Apache Solr. The vulnerability stems from hardcoded template credentials (superadmin, admin, search, index) that are unconditionally written to security.json alongside user-configured accounts. An unauthenticated network attacker can authenticate using these well-known defaults to gain administrative privileges, bypassing the intended authentication mechanism. The vulnerability is rooted in insecure defaults (CWE-798) and insufficient initialization (CWE-1188). Affected versions include the entire 9.4.x through 9.10.x series and 10.0.0. Remediation will be available in the unreleased versions 9.11.0 and 10.1.0.
Business impact
Compromise of a Solr cluster grants attackers unrestricted read and write access to indexed data, ability to execute administrative operations, potential cluster shutdown, and lateral movement opportunities if Solr interacts with backend systems or authenticated data sources. For organizations relying on Solr for search or analytics in production environments, this represents a path to data exfiltration, integrity violation, and service disruption without requiring sophisticated attack techniques—only knowledge of public default credentials.
Affected systems
Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 are vulnerable only when basic authentication was configured using the bin/solr auth enable tool. Clusters that did not use this bootstrap method or that have already changed the template user passwords to strong values are not affected. Users on versions prior to 9.4.0 or on future versions 9.11.0 and 10.1.0 are not vulnerable.
Exploitability
The attack requires network access to the Solr API endpoint but no authentication credentials initially—the attacker supplies the hardcoded defaults. The difficulty factor is rated as 'high' in the CVSS vector, likely reflecting the requirement to identify that the vulnerable bootstrap method was used and that template users have not been remediated. However, once the configuration is discovered, exploitation is trivial and deterministic. The attack surface is public-facing if Solr is internet-accessible or present on an internal network where an attacker has gained a foothold.
Remediation
Immediate action: Apply one of two workarounds without upgrading: (1) delete the template users (superadmin, admin, search, index) from the security.json file, or (2) reset their passwords to strong, unique values. Long-term solution: upgrade to the forthcoming versions 9.11.0 or 10.1.0 when released, which will eliminate the hardcoded defaults entirely. Verify template user accounts have been removed or secured before considering the cluster adequately protected.
Patch guidance
Patches are not yet available. However, the vendor has committed to releasing fixed versions 9.11.0 for the 9.x line and 10.1.0 for the 10.x line. Organizations should monitor Apache Solr's official release channels and security advisories for availability. Until patched versions are released, immediately apply the manual workaround: modify security.json to either remove template user entries or assign them cryptographically strong passwords (minimum 20 characters, mixed character types). Restart the Solr service to apply changes, and verify via API that the defaults no longer authenticate.
Detection guidance
Search for evidence of exploitation by examining authentication logs for successful login attempts using the default usernames (superadmin, admin, search, index) from unexpected sources or at unusual times. Monitor API audit logs for administrative operations (config changes, index deletion, user management) performed by these accounts post-bootstrap. Check security.json files in deployed Solr instances for the presence of these template users with unchanged passwords. Network-level detection can identify connections to Solr API endpoints attempting to authenticate with known default credentials, though this requires ingestion of basic auth headers or traffic analysis.
Why prioritize this
This vulnerability merits urgent prioritization due to its CVSS 8.1 (HIGH) rating and the simplicity of exploitation. The attack grants immediate full administrative compromise with no privilege escalation needed. While patches are not yet available, the immediate applicability of the workaround and the clarity of affected versions allow rapid risk reduction. Organizations running Solr should be elevated in triage queues, and their configuration should be audited before attackers can exploit the hardcoded defaults.
Risk score, explained
The CVSS 3.1 score of 8.1 reflects a high-severity vulnerability with network-accessible attack vector, no authentication required, user interaction not needed, and scope unchanged. The impact is high across confidentiality (data exposure), integrity (modification/deletion), and availability (potential cluster shutdown). The 'high' complexity factor suggests some environmental knowledge or configuration discovery is required, preventing a critical score, but does not materially lower the business risk to organizations where Solr is exposed or holds sensitive data.
Frequently asked questions
Do I need to upgrade immediately, or can I use the workaround?
The workaround is effective and should be applied immediately while awaiting patched versions. Delete or reset the template user passwords in security.json, restart Solr, and verify the defaults no longer work. Once versions 9.11.0 or 10.1.0 are released, plan an upgrade during your normal maintenance window. Relying solely on the workaround is acceptable short-term, but upgrading eliminates the root cause.
How do I know if my cluster is vulnerable?
Your cluster is vulnerable if: (1) you are running Solr 9.4.0–9.10.1 or 10.0.0, (2) you used bin/solr auth enable to configure basic authentication, and (3) the template users (superadmin, admin, search, index) are still present in security.json with unchanged passwords. Check your security.json file and verify which bootstrap method was used during initial setup.
If I haven't bootstrapped authentication yet, should I avoid using bin/solr auth enable?
Do not use bin/solr auth enable until you upgrade to a patched version or apply the workaround immediately after running it. If you must configure authentication now, use alternative authentication methods or manually configure security.json to avoid the vulnerable bootstrap tool. Once patched versions are available, the tool will be safe to use.
Does this affect my Solr cloud setup differently than standalone?
The vulnerability applies to both standalone and SolrCloud configurations where bin/solr auth enable was used. In clustered environments, a single compromised node grants attackers access to the entire distributed system. Apply the workaround to all nodes in your cluster and verify all instances have had template users removed or secured.
This analysis is provided for informational purposes and does not constitute legal, compliance, or investment advice. The vulnerability details, affected versions, and remediation guidance are based on the published CVE record and vendor advisory. Organizations should independently verify their Solr deployments, test patches and workarounds in non-production environments before deployment, and consult with their security teams. Patch availability dates and version numbers are subject to change; verify against official Apache Solr release notes before proceeding. SEC.co makes no warranty regarding the completeness or timeliness of this information. Source: NVD (public-domain), retrieved 2026-07-07. Analysis generated by SEC.co (claude-haiku-4-5).
Related vulnerabilities
- CVE-2026-36616MEDIUMMercusys AC12G Hardcoded WiFi Credentials Vulnerability
- CVE-2019-25722HIGHHard-Coded Credentials and DoS in Dräger Patient Monitoring Devices
- CVE-2026-35672HIGHphpMyFAQ Authentication Bypass Allows Unauthorized FAQ Content Injection
- CVE-2026-36606HIGHMercusys AC12G V1 Hardcoded DES Encryption in Configuration Backups
- CVE-2026-21404MEDIUMNAVTOR NavBox Hard-Coded SOAP Credentials Allow Local File Modification
- CVE-2026-25600MEDIUMPDBM Hard-Coded Encryption Secret Vulnerability
- CVE-2026-36612MEDIUMMercusys AC12G Weak WPS Lockout Policy Enables Router Compromise
- CVE-2026-35563HIGHApache Directory LDAP API Hostname Verification Bypass