Apache Solr AuthTool Hardcoded Credentials Vulnerability

CVE-2026-44825 is a hardcoded credentials vulnerability in Apache Solr’s Basic Authentication setup tool, bin/solr auth enable, affecting SolrCloud deployments. The vulnerability was discovered by the Horizon3.ai Attack Team and responsibly disclosed to the Apache Solr project. When used to enable BasicAuth, the tool can silently install undocumented template users with publicly known default credentials, potentially giving a remote attacker full administrative access to the SolrCloud cluster.

Technical Details

CVE-2026-44825 affects Apache Solr 9.4.0 through 9.10.1 and 10.0.0.

The vulnerability exists in the SolrCloud Basic Authentication setup workflow. When administrators use bin/solr auth enable, Solr can create additional template accounts in security.json, including:

• superadmin
• admin
• search
• index

These accounts may be installed with hardcoded credentials where the username equals the password. If the Solr admin API is reachable, an attacker can authenticate using those credentials and gain administrative access to the cluster.

The superadmin account has security-edit privileges, which can allow an attacker to access indexed data, modify authentication settings, create backdoor accounts, and potentially move toward remote code execution depending on cluster configuration.

Stop Guessing, Start Proving

NodeZero® Proactive Security Platform — Rapid Response

A NodeZero Rapid Response test has been developed to safely validate whether this hardcoded credentials vulnerability can be exploited in your environment. The test executes real attack techniques without causing damage, giving teams immediate clarity on exposure.

• Run the Rapid Response test: Launch from the NodeZero platform to determine whether known hardcoded credentials can authenticate to SolrCloud.
• Patch immediately: Upgrade to Apache Solr 9.11.0 or 10.1.0 when available. As an immediate workaround, delete the template users or change the passwords for superadmin, admin, search, and index.
• Re-run the test: Confirm the hardcoded credentials are no longer exploitable after remediation.

Affected versions & patch

Affected:

• Apache Solr 9.4.0 through 9.10.1
• Apache Solr 10.0.0

Not affected:

• Clusters where bin/solr auth enable was not used to bootstrap BasicAuth
• Clusters where the template users have already been assigned strong passwords after bootstrap

Patch:

• Upgrade to Apache Solr 9.11.0 or 10.1.0 when available
• Until then, remove the template users from security.json or change their passwords

Timeline

• May 29, 2026 – Apache publicly disclosed CVE-2026-44825 via the oss-security mailing list and released remediation guidance.
• May 29, 2026 – Apache published SOLR-18233 and credited Naveen Sunkavally of Horizon3.ai for responsibly reporting the vulnerability.
• June 2, 2026 – NodeZero Rapid Response test available to validate exploitability and verify remediation. 

References

• Apache Security Advisory for CVE-2026-44825 (via Openwall)
• CVE-2026-44825 Record
• Apache JIRA SOLR-18233
• Apache Solr Basic Authentication Plugin Documentation