CVE-2026-22444
Published: 21 January 2026
Summary
CVE-2026-22444 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apache Solr. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).
Deeper analysis
CVE-2026-22444 affects the "create core" API in Apache Solr versions 8.6 through 9.10.0, where insufficient input validation on certain API parameters allows Solr to check the existence of and attempt to read filesystem paths that should be disallowed by the "allowPaths" security setting. This issue enables read-only accesses that can permit the creation of cores using unexpected configsets if those are accessible via the filesystem. On Windows systems configured to allow UNC paths, it can additionally lead to the disclosure of NTLM "user" hashes.
The vulnerability can be exploited by low-privileged users (PR:L) with network access (AV:N) in Solr deployments running in standalone mode where the "allowPaths" setting restricts file access and the "create core" API is exposed to untrusted users. This exposure occurs if the RuleBasedAuthorizationPlugin is disabled or if the "core-admin-edit" permission (or equivalent) is granted to non-admin roles. Attackers can achieve high confidentiality impact (C:H) by reading disallowed paths, creating cores with unauthorized configsets, and potentially extracting NTLM hashes on Windows, with low integrity impact (I:L) and no availability impact, as scored at CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) under CWE-20 (Improper Input Validation).
Advisories recommend mitigating by enabling the RuleBasedAuthorizationPlugin if disabled and configuring permissions to prevent untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or later, which includes fixes for this issue. Further details are available in the Apache announcement at https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2026/01/20/5.
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-3665
Vulnerability details
The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths"…
more
security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue.
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public Solr API enables unauthorized FS reads (T1005) and NTLM hash disclosure via UNC paths (T1187); initial access via public app exploitation (T1190).
CVEs Like This One
Affected Assets
Mitigating Controls
Mitigating Controls (NIST 800-53 r5) AI
Enforces authorization decisions so that only trusted roles can invoke the create-core API, directly blocking the exposure that lets untrusted users bypass allowPaths.
Requires validation of all API parameters before they are used to resolve filesystem paths, eliminating the improper-input-validation flaw that permits disallowed reads and UNC-based NTLM disclosure.
Ensures the core-admin-edit permission (or equivalent) is granted only to administrative roles, preventing low-privilege accounts from reaching the vulnerable create-core endpoint.