{"resultsPerPage":1,"startIndex":0,"totalResults":1,"format":"NVD_CVE","version":"2.0","timestamp":"2026-06-03T12:29:52.492","vulnerabilities":[{"cve":{"id":"CVE-2026-22444","sourceIdentifier":"security@apache.org","published":"2026-01-21T14:16:06.707","lastModified":"2026-01-27T20:30:40.703","vulnStatus":"Analyzed","cveTags":[],"descriptions":[{"lang":"en","value":"The \"create core\" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's  \"allowPaths\" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element .  These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem.  On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM \"user\" hashes. \n\nSolr deployments are subject to this vulnerability if they meet the following criteria:\n  *  Solr is running in its \"standalone\" mode.\n  *  Solr's \"allowPath\" setting is being used to restrict file access to certain directories.\n  *  Solr's \"create core\" API is exposed and accessible to untrusted users.  This can happen if Solr's  RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html  is disabled, or if it is enabled but the \"core-admin-edit\" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles.\n\nUsers can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores.  Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue."},{"lang":"es","value":"La API 'create core' de Apache Solr 8.6 hasta 9.10.0 carece de suficiente validación de entrada en algunos parámetros de la API, lo que puede hacer que Solr compruebe la existencia e intente leer rutas del sistema de archivos que deberían ser denegadas por la configuración de seguridad 'allowPaths' de Solr https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . Estos accesos de solo lectura pueden permitir a los usuarios crear núcleos utilizando conjuntos de configuración (configsets) inesperados si alguno es accesible a través del sistema de archivos. En sistemas Windows configurados para permitir rutas UNC, esto puede causar adicionalmente la divulgación de hashes NTLM de 'usuario'.\n\nLas implementaciones de Solr están sujetas a esta vulnerabilidad si cumplen los siguientes criterios:\n  * Solr se está ejecutando en su modo 'standalone'.\n  * La configuración 'allowPath' de Solr se está utilizando para restringir el acceso a archivos a ciertos directorios.\n  * La API 'create core' de Solr está expuesta y es accesible para usuarios no confiables. Esto puede ocurrir si el RuleBasedAuthorizationPlugin de Solr https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html está deshabilitado, o si está habilitado pero el permiso predefinido 'core-admin-edit' (o un permiso personalizado equivalente) se otorga a roles de usuario de baja confianza (es decir, no administradores).\n\nLos usuarios pueden mitigar esto habilitando el RuleBasedAuthorizationPlugin de Solr (si está deshabilitado) y configurando una lista de permisos que impida a los usuarios no confiables crear nuevos núcleos de Solr. Los usuarios también deberían actualizar a Apache Solr 9.10.1 o superior, que contienen correcciones para este problema."}],"metrics":{"cvssMetricV31":[{"source":"134c704f-9b21-4f2e-91b3-4a467353bcc0","type":"Secondary","cvssData":{"version":"3.1","vectorString":"CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N","baseScore":7.1,"baseSeverity":"HIGH","attackVector":"NETWORK","attackComplexity":"LOW","privilegesRequired":"LOW","userInteraction":"NONE","scope":"UNCHANGED","confidentialityImpact":"HIGH","integrityImpact":"LOW","availabilityImpact":"NONE"},"exploitabilityScore":2.8,"impactScore":4.2}]},"weaknesses":[{"source":"security@apache.org","type":"Secondary","description":[{"lang":"en","value":"CWE-20"}]}],"configurations":[{"nodes":[{"operator":"OR","negate":false,"cpeMatch":[{"vulnerable":true,"criteria":"cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*","versionStartIncluding":"8.6.0","versionEndExcluding":"9.10.1","matchCriteriaId":"8EEA3BEF-03F1-4D74-A368-95EDEAA65966"}]}]}],"references":[{"url":"https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m","source":"security@apache.org","tags":["Mailing List"]},{"url":"http://www.openwall.com/lists/oss-security/2026/01/20/5","source":"af854a3a-2127-422b-91ae-364da2661108","tags":["Mailing List"]}]}}]}