CVE-2026-44825
Published: 01 June 2026
Summary
CVE-2026-44825 is a high-severity Use of Hard-coded Credentials (CWE-798) vulnerability in Apache Solr. Its CVSS base score is 8.1 (High).
Operationally, exploitation aligns with the MITRE ATT&CK technique Default Accounts (T1078.001); ranked at the 40.8th percentile by exploit likelihood (below the median); it is not currently listed in the CISA KEV catalog.
OWASP Top 10 for Web (2025)
EU & UK References
- 🇪🇺 ENISA EUVD: EUVD-2026-33602
Vulnerability details
Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside…
more
the user-specified account. As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue. Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap
- CWE(s)
Related Threats
MITRE ATT&CK Enterprise TechniquesAI
Why these techniques?
Hardcoded/public default credentials in Solr BasicAuth bootstrap directly enable use of Default Accounts (T1078.001) for remote admin access.
CVEs Like This One
Affected Assets
Mitigating Controls
Likely Mitigating Controls AI
Per-CVE control mapping for this CVE has not run yet; the list below is derived from the weakness types (CWEs) cited in the NVD entry.
Central credential stores and rotation policies remove the need for hard-coded credentials in configuration files or code.
Strategy enforces supplier requirements and code reviews that reduce hard-coded credentials introduced through acquired products.
Requiring security functional requirements and acceptance criteria allows contracts to prohibit hard-coded credentials in delivered systems or components.
Known vulnerabilities section of admin docs covers hard-coded credentials and how to replace them, limiting their use in deployments.
Enables users to notice when hard-coded credentials have been exploited for unauthorized access.
Security training explicitly warns against hard-coded credentials, lowering their use in systems.
Requires documented secure initialization practices and avoidance of insecure defaults in configuration baselines.
Reviewing and updating baseline when components are installed or upgraded prevents initialization with insecure defaults.