BIT-solr-2026-44825

See a problem?
Import Source
https://github.com/bitnami/vulndb/tree/main/data/solr/BIT-solr-2026-44825.json
JSON Data
https://api.test.osv.dev/v1/vulns/BIT-solr-2026-44825
Aliases
Published
2026-06-05T05:53:30.550Z
Modified
2026-06-05T07:45:33.918849452Z
Summary
Apache Solr: Enabling BasicAuth using bin/solr CLI configures additional insecure users
Details

Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account.

As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.jsonĀ or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.

Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap

Database specific 
{
    "cpes": [
        "cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*"
    ],
    "severity": "Critical"
}
References

Affected packages

Bitnami / solr

Package

Name
solr
Purl
pkg:bitnami/solr

Severity

  • 9.8 (Critical) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H CVSS Calculator

Affected ranges

Type
SEMVER
Events
Introduced
9.4.0
Fixed
10.0.0
Type
SEMVER
Events
Introduced
10.0.0
Last affected
10.0.0

Database specific

source 
"https://github.com/bitnami/vulndb/tree/main/data/solr/BIT-solr-2026-44825.json"