Cyber Resilience

CVE-2026-44825

HighUpdated

Published: 01 June 2026

Published
01 June 2026
Modified
17 June 2026
KEV Added
Patch
CVSS Score v3.1 8.1 CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS Score 0.0053 40.8th percentile
Risk Priority 55 floored blend · peak EPSS

Summary

CVE-2026-44825 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Apache Solr. Its CVSS base score is 8.1 (High).

Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.

OWASP Top 10 for Web (2025)

EU & UK References

Vulnerability details

Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside…

more

the user-specified account. As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue. Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap

CWE(s)

Related Threats

MITRE ATT&CK Enterprise TechniquesAI

T1078.001 Default Accounts Stealth
Adversaries may obtain and abuse credentials of a default account as a means of gaining Initial Access, Persistence, Privilege Escalation, or Defense Evasion.
Why these techniques?

Hardcoded/public default credentials in Solr BasicAuth bootstrap directly enable use of Default Accounts (T1078.001) for remote admin access.

Confidence: HIGH · MITRE ATT&CK Enterprise v19.0

CVEs Like This One

CVE-2026-22022Same product: Apache Solr
CVE-2026-22444Same product: Apache Solr
CVE-2024-52012Same product: Apache Solr
CVE-2026-26218Shared CWE-798
CVE-2026-40542Same vendor: Apache
CVE-2026-46586Same vendor: Apache
CVE-2026-41636Same vendor: Apache
CVE-2026-34197Same vendor: Apache
CVE-2026-34480Same vendor: Apache
CVE-2025-48913Same vendor: Apache

Affected Assets

apache
solr
10.0.0 · 9.4.0 — 9.10.1

Mitigating Controls

Likely Mitigating Controls AI

Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.

addresses: CWE-798 CWE-1188

Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.

addresses: CWE-798 CWE-1188

Strategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products.

addresses: CWE-798 CWE-1188

Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.

addresses: CWE-798 CWE-1188

Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments.

addresses: CWE-798

Enables users to notice when hard-coded credentials have been exploited for unauthorized access.

addresses: CWE-798

Security training explicitly warns against hard-coded credentials, lowering their use in systems.

addresses: CWE-1188

Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.

addresses: CWE-1188

Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.

References