Cyber Posture

CVE-2026-22022

High

Published: 21 January 2026

Published
21 January 2026
Modified
27 January 2026
KEV Added
Patch
CVSS Score 8.2 CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0019 40.1th percentile
Risk Priority 17 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22022 is a high-severity Improper Authorization (CWE-285) vulnerability in Apache Solr. Its CVSS base score is 8.2 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 40.1th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and CM-6 (Configuration Settings).

Threat & Defense at a Glance

What attackers do: exploitation maps to Exploit Public-Facing Application (T1190). What defenders deploy: see the NIST 800-53 controls recommended below.
Threat & Defense Details

Mitigating Controls (NIST 800-53 r5)AI

SI-2 Flaw Remediation good match
prevent

Remediating the authorization flaw in Solr's RuleBasedAuthorizationPlugin by applying vendor-recommended patches or upgrading to Solr 9.10.1 or later directly eliminates unauthorized API access.

CM-6 Configuration Settings good match
prevent

Establishing and enforcing configuration settings in security.json to include the 'all' pre-defined permission for admin roles prevents the specific misconfiguration enabling unauthorized access to Solr APIs.

AC-3 Access Enforcement good match
prevent

Enforcing approved authorizations through properly validated mechanisms like the RuleBasedAuthorizationPlugin directly counters the improper authorization allowing access to config-read, config-edit, and similar APIs.

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
attack.mitre.org →
Why these techniques?

The vulnerability enables remote, unauthenticated exploitation of a public-facing Apache Solr application to access sensitive APIs (e.g., config-read, security-read), directly mapping to T1190: Exploit Public-Facing Application.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

NVD Description

Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components. Only deployments that meet all of…

more

the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role. Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.

Deeper analysisAI

CVE-2026-22022 is a vulnerability in Apache Solr versions 5.3.0 through 9.10.0 that affects deployments relying on the Rule Based Authorization Plugin due to insufficiently strict input validation. This flaw enables unauthorized access to certain Solr APIs, but only impacts configurations meeting all of the following criteria: use of the RuleBasedAuthorizationPlugin; a security.json configuration specifying multiple roles; permission lists that include one or more of the pre-defined rules "config-read", "config-edit", "schema-read", "metrics-read", or "security-read" without defining the "all" pre-defined permission; and a networking setup allowing unfiltered client requests to Solr.

Attackers can exploit this vulnerability remotely over the network with no authentication required (AV:N/AC:L/PR:N), provided the networking allows direct HTTP/HTTPS access to Solr without proxy or gateway restrictions. Successful exploitation grants unauthorized access to sensitive APIs, resulting in high confidentiality impact (such as reading configurations or metrics) and low integrity impact, as reflected in the CVSS v3.1 base score of 8.2 (C:H/I:L/A:N). The issue stems from CWE-285 (Improper Authorization).

Apache advisories recommend mitigating by updating the RuleBasedAuthorizationPlugin configuration in security.json to specify the "all" pre-defined permission and associate it with an "admin" or other privileged role. Alternatively, users should upgrade to Solr 9.10.1 or later versions outside the affected range. Details are available in the Apache announcement at https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2026/01/20/4.

Details

CWE(s)
CWE-285

Affected Products

apache
solr
5.3.0 — 9.10.1

CVEs Like This One

CVE-2024-52012Same product: Apache Solr
CVE-2026-22444Same product: Apache Solr
CVE-2025-22828Same vendor: Apache
CVE-2026-27446Same vendor: Apache
CVE-2024-56180Same vendor: Apache
CVE-2026-30778Same vendor: Apache
CVE-2025-27821Same vendor: Apache
CVE-2026-24015Same vendor: Apache
CVE-2026-34197Same vendor: Apache
CVE-2026-24880Same vendor: Apache

References