(solr-site) branch main updated: Security advisory for jwt-auth blockunknown (#181)

Wed, 20 May 2026 00:53:25 -0700 

This is an automated email from the ASF dual-hosted git repository.

janhoy pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/solr-site.git


The following commit(s) were added to refs/heads/main by this push:
     new 0c7186ce9 Security advisory for jwt-auth blockunknown (#181)
0c7186ce9 is described below

commit 0c7186ce9f9c9c01697f4b13e52835706dbde41d
Author: Jan Høydahl <[email protected]>
AuthorDate: Wed May 20 09:53:14 2026 +0200

    Security advisory for jwt-auth blockunknown (#181)
---
 .../2026-05-19-jwt-blockunknown-default.md         | 45 ++++++++++++++++++++++
 1 file changed, 45 insertions(+)

diff --git a/content/solr/security/2026-05-19-jwt-blockunknown-default.md 
b/content/solr/security/2026-05-19-jwt-blockunknown-default.md
new file mode 100644
index 000000000..89c6f98e8
--- /dev/null
+++ b/content/solr/security/2026-05-19-jwt-blockunknown-default.md
@@ -0,0 +1,45 @@
+Title: JWT Authentication: blockUnknown default allows unauthenticated access 
contrary to documentation
+category: solr/security
+cve:
+
+**Severity**
+moderate
+
+**Versions Affected**
+
+- Apache Solr 9.0.0 through 9.10.1
+- Apache Solr 10.0.0
+
+**Description**
+
+The Apache Solr JWT Authentication Plugin has a configuration parameter 
`blockUnknown`
+that controls whether anonymous (unauthenticated) requests are blocked. The 
Reference Guide
+has documented this as defaulting to `true` since Solr 9.0, but the code 
default has always
+been `false`. Operators who did not explicitly set this parameter may 
therefore have been
+unknowingly accepting anonymous requests.
+
+**Am I Affected?**
+
+You may be affected if **all** of the following are true:
+
+1. You use the JWT Authentication Plugin (`solr.JWTAuthPlugin`) in 
`security.json`
+2. Your intention is to block all unauthenticated requests
+3. Your `security.json` does **not** explicitly set `blockUnknown` to `true`
+
+You are **not** affected if any of the following applies:
+
+- `blockUnknown` is explicitly set to `true` in `security.json`
+- An AuthorizationPlugin (e.g. `RuleBasedAuthorizationPlugin`) independently 
denies access to unauthenticated users
+
+**Mitigation**
+
+Check the `authentication` section of your `security.json`. If `blockUnknown` 
is absent, set it explicitly to `true`.
+
+**Fix**
+
+Upcoming Solr 9.11 and 10.1 releases will change the code default of 
`blockUnknown` to `true`.
+Explicitly setting `blockUnknown` to `true` in a current release is 
sufficient; upgrading is not required.
+
+**References**
+
+- [JWT Authentication Plugin 
documentation](https://solr.apache.org/guide/solr/latest/deployment-guide/jwt-authentication-plugin.html)

Reply via email to