This is an automated email from the ASF dual-hosted git repository.
gerlowskija pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-site.git
The following commit(s) were added to refs/heads/main by this push:
new 0ba14aeb1 Adding CVE news entries for 9.10.1-resolved CVEs
0ba14aeb1 is described below
commit 0ba14aeb1768bd4d17cc07c480078228ec62c591
Author: Jason Gerlowski <[email protected]>
AuthorDate: Tue Jan 20 12:31:03 2026 -0500
Adding CVE news entries for 9.10.1-resolved CVEs
- CVE-2026-22022
- CVE-2026-22444
---
content/solr/security/2026-01-20-cve-2026-22022.md | 26 +++++++++++++++++++++
content/solr/security/2026-01-20-cve-2026-22444.md | 27 ++++++++++++++++++++++
2 files changed, 53 insertions(+)
diff --git a/content/solr/security/2026-01-20-cve-2026-22022.md
b/content/solr/security/2026-01-20-cve-2026-22022.md
new file mode 100644
index 000000000..221000990
--- /dev/null
+++ b/content/solr/security/2026-01-20-cve-2026-22022.md
@@ -0,0 +1,26 @@
+Title: CVE-2026-22022 - Unauthorized bypass of certain "predefined permission"
rules in the RuleBasedAuthorizationPlugin
+category: solr/security
+cve: CVE-2026-22022
+
+**Severity**
+moderate
+
+**Description**
+Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule
Based Authorization Plugin" are vulnerable to allowing unauthorized access to
certain Solr APIs, due to insufficiently strict input validation in those
components. Only deployments that meet all of the following criteria are
impacted by this vulnerability:
+
+1. Use of Solr's "RuleBasedAuthorizationPlugin"
+2. A RuleBasedAuthorizationPlugin config (see security.json) that specifies
multiple "roles"
+3. A RuleBasedAuthorizationPlugin permission list (see security.json) that
uses one or more of the following pre-defined permission rules: "config-read",
"config-edit", "schema-read", "metrics-read", or "security-read".
+4. A RuleBasedAuthorizationPlugin permission list that doesn't define the
"all" pre-defined permission
+5. A networking setup that allows clients to make unfiltered network requests
to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified
or restricted by any intervening proxy or gateway)
+
+**Mitigation**
+
+Users can mitigate this vulnerability by ensuring that their
RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined
permission and associates the permission with an "admin" or other privileged
role. Users can also upgrade to a Solr version outside of the impacted range,
such as the recently released Solr 9.10.1.
+
+**Credit**
+monkeontheroof (reporter)
+
+**References**
+JIRA - [SOLR-18054](https://issues.apache.org/jira/browse/SOLR-18054)
+CVE - [CVE-2026-22022](https://www.cve.org/CVERecord?id=CVE-2026-22022)
diff --git a/content/solr/security/2026-01-20-cve-2026-22444.md
b/content/solr/security/2026-01-20-cve-2026-22444.md
new file mode 100644
index 000000000..1c906e084
--- /dev/null
+++ b/content/solr/security/2026-01-20-cve-2026-22444.md
@@ -0,0 +1,27 @@
+Title: CVE-2026-22444 - Insufficient file-access checking in standalone
core-creation requests
+category: solr/security
+cve: CVE-2026-22444
+
+**Severity**
+moderate
+
+**Description**
+
+The "create core" API of Apache Solr 8.6 through 9.10.0 lacks sufficient input
validation on some API parameters, which can cause Solr to check the existence
of and attempt to read file-system paths that should be disallowed by Solr's
"allowPaths" security setting. These read-only accesses can allow users to
create cores using unexpected configsets if any are accessible via the
filesystem. On Windows systems configured to allow UNC paths this can
additionally cause disclosure of NTLM " [...]
+
+Solr deployments are subject to this vulnerability if they meet the following
criteria:
+
+1. Solr is running in its "standalone" mode.
+2. Solr's "allowPath" setting is being used to restrict file access to certain
directories.
+3. Solr's "create core" API is exposed and accessible to untrusted users.
This can happen if Solr's RuleBasedAuthorizationPlugin is disabled, or if it is
enabled but the "core-admin-edit" predefined permission (or an equivalent
custom permission) is given to low-trust (i.e. non-admin) user roles.
+
+**Mitigation**
+
+Users can mitigate this by enabling Solr's RuleBasedAuthorizationPlugin (if
disabled) and configuring a permission-list that prevents untrusted users from
creating new Solr cores. Users should also upgrade to Apache Solr 9.10.1 or
greater, which contain fixes for this issue.
+
+**Credit**
+Damon Toey (reporter)
+
+**References**
+JIRA - [SOLR-18058](https://issues.apache.org/jira/browse/SOLR-18058)
+CVE - [CVE-2026-22444](https://www.cve.org/CVERecord?id=CVE-2026-22444)
