CVE-2026-22444
- Source
- https://cve.org/CVERecord?id=CVE-2026-22444
- Import Source
- https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22444.json
- JSON Data
- https://api.osv.dev/v1/vulns/CVE-2026-22444
- Aliases
- Downstream
- Published
- 2026-01-21T14:16:06.707Z
- Modified
- 2026-01-29T06:50:51.056138Z
- Severity
-
- 7.1 (High) CVSS_V3 - CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N CVSS Calculator
- Summary
- [none]
- Details
-
The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths" security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes.
Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles.
Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue.
- References
Affected packages
Git / github.com/apache/solr
Database specific
source
"https://storage.googleapis.com/cve-osv-conversion/osv-output/CVE-2026-22444.json"
vanir_signatures
[
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"line_hashes": [
"120351066446823816478796849004261422818",
"240096633457384710817831422835243155014",
"38407301923442668321566180519037740960",
"70887022760867387724935329588019576026",
"179764876838053657294407215034930486763",
"147010765790336563100542354187234898306",
"235195966746351378923427209707493487952",
"252738467133413507932928310686382280740",
"125498264179157591138267264563231953791",
"274556390625100524067649328904052755074",
"105724591352013391946343718295551276907"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/SchemaHandler.java"
},
"id": "CVE-2026-22444-080149c3"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"line_hashes": [
"213816450732649115831861879533981273321",
"163193992802835521350643549808705414096",
"279118738397569944925485559297762383710",
"292160663259868763816534406745559155717",
"292886144000345370672917144520777225418",
"212218239995638886601205653734497122566",
"115623506190209366829014816956538412072",
"224564576758229972759187356840065482736",
"217331465601713269584028593832134385524",
"89782819908593946504040573337181962855",
"42860695080087217257410980168474507559",
"107838308683085978204004722138780091915",
"79058199511659309388233803781513898946",
"111432781214598984776824816440695734017"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPluginBase.java"
},
"id": "CVE-2026-22444-0c32e4e6"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 823.0,
"function_hash": "32925405534186697611758232727948623468"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/SolrConfigHandler.java",
"function": "handleRequestBody"
},
"id": "CVE-2026-22444-0d1b1c1f"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"line_hashes": [
"314801486394218332716187729587448876463",
"297668234085621649269638207073739227034",
"26281571418882802927218490246317570896",
"205376203250744969032773389049148311459",
"283448128921637611284629852895021185453",
"328300450744435674427303806605054338610",
"126769086198631888730044546654791673343",
"151361157194820677335377167858870518441",
"196983403002202730118792808163427749455",
"270709262109556431487133335638324708502",
"231172665077771227225530430677086623289",
"143827515772777178233896868672522835173",
"39774938605117814597467235289023746573",
"123918541420775112442862666052329074535",
"271722009058798431788998140996009881917"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/ZookeeperInfoHandler.java"
},
"id": "CVE-2026-22444-1807e42d"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"line_hashes": [
"184580313771887693335343806361893098191",
"114232322428923849323544561933002927043",
"30584587213142902972153208626010345669",
"43693651672511506419582617180681485734"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/InfoHandler.java"
},
"id": "CVE-2026-22444-2383ef3c"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 218.0,
"function_hash": "309815762935292469119908422789899307526"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/SchemaHandler.java",
"function": "getPermissionName"
},
"id": "CVE-2026-22444-24965513"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 763.0,
"function_hash": "198955079849774671245214682800515656826"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/security/RuleBasedAuthorizationPluginBase.java",
"function": "predefinedPermissionAppliesToRequest"
},
"id": "CVE-2026-22444-3f238353"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 3364.0,
"function_hash": "192251288855912286863646833069882127951"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/api/V2HttpCall.java",
"function": "init"
},
"id": "CVE-2026-22444-41a805d0"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 491.0,
"function_hash": "243056432508320266151977870548656376306"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java",
"function": "HttpSolrCall"
},
"id": "CVE-2026-22444-52fb444d"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 372.0,
"function_hash": "82786319854879818071137322427327792859"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java",
"function": "getPermissionName"
},
"id": "CVE-2026-22444-5b865d58"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"line_hashes": [
"318557942750693441999088965693350408448",
"89960675082884901922971492094076631557",
"262092700101760725112401888166373233301",
"334782200771506371045421436203045874610",
"131546795612910344415808924453403828385",
"221912604077071235305348779528085248181",
"89567214609396714330781788893967812849",
"284614647882360805072877494404776484119"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "solr/core/src/java/org/apache/solr/api/V2HttpCall.java"
},
"id": "CVE-2026-22444-6be6609b"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"line_hashes": [
"58079458214666953562059678735478141157",
"240096633457384710817831422835243155014",
"38407301923442668321566180519037740960",
"70887022760867387724935329588019576026",
"179764876838053657294407215034930486763",
"260152357607745243888842854418287848754",
"86961638886321900848155678858025933347",
"252738467133413507932928310686382280740",
"302947476867847430838349182753615611583"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/SolrConfigHandler.java"
},
"id": "CVE-2026-22444-7696d9b0"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 969.0,
"function_hash": "187430033858308537579957157295996246614"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/SchemaHandler.java",
"function": "handleRequestBody"
},
"id": "CVE-2026-22444-948e0f90"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"line_hashes": [
"268011071793190307035707587271849564271",
"220884027888050459794073188008898298494",
"67285741456772442012070940876174401461"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/ConfigSetsHandler.java"
},
"id": "CVE-2026-22444-9673dd58"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 193.0,
"function_hash": "293080062925405529498466231476761499269"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/SecurityConfHandler.java",
"function": "getPermissionName"
},
"id": "CVE-2026-22444-9b2dfa87"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"line_hashes": [
"150813839389802449390950779385082769168",
"157794120277178151238190850924822186718",
"314736040055257015328658767592783323746",
"74116944502192974550916330399986272055",
"100520713306865751721762720970362402368",
"118794164569753631862788791376220138110",
"221156805908894640553280895674511800568",
"143789150691660144250348740337673456259",
"46293612379576255285533091099265037937",
"108049300500548630487952472209689740132",
"106565269668895078264801588273834550237",
"204853156103783033210753635899650237082",
"50185046149780929867426153052567393208",
"253377974398886683499594306020509175379",
"227591688282585696639089661864366244677",
"206431445711209699518597590513933735912",
"50185046149780929867426153052567393208",
"91721883678795952664516638675545785829",
"137957176553714511067886981903703329252",
"4685551427119535434065476578473383278",
"137764885550340150603133934097966614117",
"270858092755672118626541746230037820837",
"24047165802911169747952491494324947778",
"245056690808061670376731011290420441844",
"198225703671653806079590215890600246031",
"103515158874399903575503905129021947114",
"98286586969809525074700928560639018412",
"210068617637129298119821977885415841024",
"195650629001091535143767240297304192978"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java"
},
"id": "CVE-2026-22444-ad906785"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"line_hashes": [
"268561176960722250138687528000324643692",
"67774571265588972589539497833261280251",
"189415833787220364941020379284641578567",
"194557142506412884006270997149839987165",
"84419659714445746731018964436727399059",
"162864881589519443502030191436134728087",
"252738467133413507932928310686382280740",
"111106639122235668039694155904913124616"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/SecurityConfHandler.java"
},
"id": "CVE-2026-22444-ae980129"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 289.0,
"function_hash": "213238151330680154814911143903409297264"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java",
"function": "getPermissionName"
},
"id": "CVE-2026-22444-d82e9e6e"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 189.0,
"function_hash": "66091817643857218543813963995517282094"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/SolrConfigHandler.java",
"function": "getPermissionName"
},
"id": "CVE-2026-22444-d97ed861"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 2278.0,
"function_hash": "111282808569295236401628538870253350022"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/servlet/HttpSolrCall.java",
"function": "init"
},
"id": "CVE-2026-22444-df9c6529"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"line_hashes": [
"226306296248802359310220247995995277013",
"121496908389995506677154849858255989362",
"107621676927053957725034464286008436807",
"228164321359792569823207322297444593680"
],
"threshold": 0.9
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Line",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/CollectionsHandler.java"
},
"id": "CVE-2026-22444-ec2023d6"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 317.0,
"function_hash": "120437475613747371534359341551457016583"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/ZookeeperInfoHandler.java",
"function": "getPermissionName"
},
"id": "CVE-2026-22444-fd16b4b2"
},
{
"source": "https://github.com/apache/solr/commit/c135e6335c7158fa26e96b0dc386f825255b47c0",
"digest": {
"length": 280.0,
"function_hash": "180201855755994066701040275748131575002"
},
"signature_version": "v1",
"deprecated": false,
"signature_type": "Function",
"target": {
"file": "solr/core/src/java/org/apache/solr/handler/admin/InfoHandler.java",
"function": "getPermissionName"
},
"id": "CVE-2026-22444-ffb0da62"
}
]