Cyber Resilience

CVE-2026-22444

High

Published: 21 January 2026

Published
21 January 2026
Modified
27 January 2026
KEV Added
Patch
CVSS Score v3.1 7.1 CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N
EPSS Score 0.0003 10.8th percentile
Risk Priority 14 60% EPSS · 20% KEV · 20% CVSS

Summary

CVE-2026-22444 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apache Solr. Its CVSS base score is 7.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 10.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

The strongest mitigations our analysis identified are NIST 800-53 AC-3 (Access Enforcement) and SI-10 (Information Input Validation).

Deeper analysis

CVE-2026-22444 affects the "create core" API in Apache Solr versions 8.6 through 9.10.0, where insufficient input validation on certain API parameters allows Solr to check the existence of and attempt to read filesystem paths that should be disallowed by the "allowPaths" security setting. This issue enables read-only accesses that can permit the creation of cores using unexpected configsets if those are accessible via the filesystem. On Windows systems configured to allow UNC paths, it can additionally lead to the disclosure of NTLM "user" hashes.

The vulnerability can be exploited by low-privileged users (PR:L) with network access (AV:N) in Solr deployments running in standalone mode where the "allowPaths" setting restricts file access and the "create core" API is exposed to untrusted users. This exposure occurs if the RuleBasedAuthorizationPlugin is disabled or if the "core-admin-edit" permission (or equivalent) is granted to non-admin roles. Attackers can achieve high confidentiality impact (C:H) by reading disallowed paths, creating cores with unauthorized configsets, and potentially extracting NTLM hashes on Windows, with low integrity impact (I:L) and no availability impact, as scored at CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) under CWE-20 (Improper Input Validation).

Advisories recommend mitigating by enabling the RuleBasedAuthorizationPlugin if disabled and configuring permissions to prevent untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or later, which includes fixes for this issue. Further details are available in the Apache announcement at https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2026/01/20/5.

EU & UK References

Vulnerability details

The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths"…

more

security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue.

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1190 Exploit Public-Facing Application Initial Access
Adversaries may attempt to exploit a weakness in an Internet-facing host or system to initially access a network.
T1005 Data from Local System Collection
Adversaries may search local system sources, such as file systems, configuration files, local databases, virtual machine files, or process memory, to find files of interest and sensitive data prior to Exfiltration.
T1187 Forced Authentication Credential Access
Adversaries may gather credential material by invoking or forcing a user to automatically provide authentication information through a mechanism in which they can intercept.
Why these techniques?

Vuln in public Solr API enables unauthorized FS reads (T1005) and NTLM hash disclosure via UNC paths (T1187); initial access via public app exploitation (T1190).

Confidence: HIGH · MITRE ATT&CK Enterprise v18.1

CVEs Like This One

CVE-2026-22022Same product: Apache Solr
CVE-2024-52012Same product: Apache Solr
CVE-2026-44825Same product: Apache Solr
CVE-2025-50151Same vendor: Apache
CVE-2025-48913Same vendor: Apache
CVE-2026-41293Same vendor: Apache
CVE-2026-24734Same vendor: Apache
CVE-2025-29847Same vendor: Apache
CVE-2025-66614Same vendor: Apache
CVE-2026-24713Same vendor: Apache

Affected Assets

apache
solr
8.6.0 — 9.10.1

Mitigating Controls

Mitigating Controls (NIST 800-53 r5) AI

prevent

Enforces authorization decisions so that only trusted roles can invoke the create-core API, directly blocking the exposure that lets untrusted users bypass allowPaths.

prevent

Requires validation of all API parameters before they are used to resolve filesystem paths, eliminating the improper-input-validation flaw that permits disallowed reads and UNC-based NTLM disclosure.

prevent

Ensures the core-admin-edit permission (or equivalent) is granted only to administrative roles, preventing low-privilege accounts from reaching the vulnerable create-core endpoint.

References