CVE-2026-44825EPSS p52.2%

CVE-2026-44825CVE-2026-44825

apache / solr

Description

Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account. As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords. The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue. Not affected: * Clusters where bin/solr auth enable was not used to bootstrap BasicAuth * Clusters where template users have been assigned strong passwords after bootstrap

Scoring

CVSS 8.1 ()
VectorCVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:U/C:H/I:H/A:H
EPSS0.81% probability of exploitation · percentile 52.2% · 2026-06-19T12:03:05Z
Last modified2026-06-01

Related by meaning· 6

Nearest entities by semantic similarity across the cs-graph corpus.

CVE
CVE-2026-22022
CVE
Apache Solr DataImportHandler Code Injection Vulnerability
CVE
CVE-2025-1393
CVE
CVE-2025-2538
CVE
CVE-2025-52159
CVE
CVE-2026-4404
Sourced from NVD + FIRST.org EPSS. Curated for EU compliance use cases by Adam Lundqvist, Founder at SQUR.