CVE-2026-22444
Published: 21 January 2026
Summary
CVE-2026-22444 is a high-severity Improper Input Validation (CWE-20) vulnerability in Apache Solr. Its CVSS base score is 7.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Exploit Public-Facing Application (T1190); ranked at the 8.9th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
Threat & Defense at a Glance
Threat & Defense Details
Likely Mitigating ControlsAI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Security testing and developer training directly verify and enforce proper input validation, reducing exploitability of injection and malformed-data weaknesses.
Security testing and evaluation at multiple SDLC stages directly detects missing or flawed input validation, with the required remediation process ensuring fixes are applied.
Directly implements checks on information inputs to reject invalid data before processing.
Spam protection mechanisms perform filtering and detection on inbound/outbound messages, directly compensating for missing or weak input validation of unsolicited content.
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Vuln in public Solr API enables unauthorized FS reads (T1005) and NTLM hash disclosure via UNC paths (T1187); initial access via public app exploitation (T1190).
NVD Description
The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input validation on some API parameters, which can cause Solr to check the existence of and attempt to read file-system paths that should be disallowed by Solr's "allowPaths"…
more
security setting https://https://solr.apache.org/guide/solr/latest/configuration-guide/configuring-solr-xml.html#the-solr-element . These read-only accesses can allow users to create cores using unexpected configsets if any are accessible via the filesystem. On Windows systems configured to allow UNC paths this can additionally cause disclosure of NTLM "user" hashes. Solr deployments are subject to this vulnerability if they meet the following criteria: * Solr is running in its "standalone" mode. * Solr's "allowPath" setting is being used to restrict file access to certain directories. * Solr's "create core" API is exposed and accessible to untrusted users. This can happen if Solr's RuleBasedAuthorizationPlugin https://solr.apache.org/guide/solr/latest/deployment-guide/rule-based-authorization-plugin.html is disabled, or if it is enabled but the "core-admin-edit" predefined permission (or an equivalent custom permission) is given to low-trust (i.e. non-admin) user roles. Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if disabled) and configuring a permission-list that prevents untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or greater, which contain fixes for this issue.
Deeper analysisAI
CVE-2026-22444 affects the "create core" API in Apache Solr versions 8.6 through 9.10.0, where insufficient input validation on certain API parameters allows Solr to check the existence of and attempt to read filesystem paths that should be disallowed by the "allowPaths" security setting. This issue enables read-only accesses that can permit the creation of cores using unexpected configsets if those are accessible via the filesystem. On Windows systems configured to allow UNC paths, it can additionally lead to the disclosure of NTLM "user" hashes.
The vulnerability can be exploited by low-privileged users (PR:L) with network access (AV:N) in Solr deployments running in standalone mode where the "allowPaths" setting restricts file access and the "create core" API is exposed to untrusted users. This exposure occurs if the RuleBasedAuthorizationPlugin is disabled or if the "core-admin-edit" permission (or equivalent) is granted to non-admin roles. Attackers can achieve high confidentiality impact (C:H) by reading disallowed paths, creating cores with unauthorized configsets, and potentially extracting NTLM hashes on Windows, with low integrity impact (I:L) and no availability impact, as scored at CVSS 7.1 (CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:H/I:L/A:N) under CWE-20 (Improper Input Validation).
Advisories recommend mitigating by enabling the RuleBasedAuthorizationPlugin if disabled and configuring permissions to prevent untrusted users from creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or later, which includes fixes for this issue. Further details are available in the Apache announcement at https://lists.apache.org/thread/qkrb9dd4xrlqmmq73lrhkbfkttto2d1m and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2026/01/20/5.
Details
- CWE(s)