CVE-2026-44825 | Apache Solr AuthTool Hardcoded Credentials Vulnerability
CVE-2026-44825 | Apache Solr AuthTool Hardcoded Credentials Vulnerability
CVE-2026-44825 is a hardcoded credentials vulnerability in Apache Solr’s Basic Authentication setup tool, bin/solr auth enable, affecting SolrCloud deployments. This vulnerability was discovered by the Horizon3.ai Attack Team and responsibly disclosed to the Apache Solr project. When used to enable BasicAuth, the tool can silently install undocumented template users with publicly known default credentials, potentially giving a remote attacker full administrative access to the SolrCloud cluster. 🚨
CVE-2026-44825 affects Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0. The vulnerability exists in the SolrCloud Basic Authentication setup workflow. When administrators use bin/solr auth enable, Solr can create additional template accounts in security.json, including: superadmin, admin, search, and index. These accounts may be installed with hardcoded credentials where the username equals the password. If the Solr admin API is reachable, an attacker can authenticate using those credentials and gain administrative access to the cluster. The superadmin account has security-edit privileges, which can allow an attacker to access indexed data, modify authentication settings, create backdoor accounts, and potentially move toward remote code execution depending on cluster configuration. 🔒
Clusters where bin/solr auth enable was not used to bootstrap BasicAuth, or where the template users have already been assigned strong passwords after bootstrap, are not affected. For mitigation, administrators should upgrade to Apache Solr 9.11.0 or 10.1.0 when available. Until then, an immediate workaround is to remove the template users from security.json or change their passwords for superadmin, admin, search, and index. ⚠️
On May 29, 2026, Apache publicly disclosed CVE-2026-44825 via the oss-security mailing list and released remediation guidance. Apache also published SOLR-18233 and credited Naveen Sunkavally of Horizon3.ai for responsibly reporting the vulnerability. By June 2, 2026, a NodeZero Rapid Response test was available to validate exploitability and verify remediation.