[jira] [Updated] (SOLR-18233) CVE-2026-44825 SolrCloud bin/solr hardcoded credentials

Fri, 29 May 2026 13:16:09 -0700 


     [ 
https://issues.apache.org/jira/browse/SOLR-18233?page=com.atlassian.jira.plugin.system.issuetabpanels:all-tabpanel
 ]

Jan Høydahl updated SOLR-18233:
-------------------------------
    Security: Public  (was: Private (Security Issue))

> CVE-2026-44825 SolrCloud bin/solr hardcoded credentials
> -------------------------------------------------------
>
>                 Key: SOLR-18233
>                 URL: https://issues.apache.org/jira/browse/SOLR-18233
>             Project: Solr
>          Issue Type: Bug
>      Security Level: Public(Default Security Level. Issues are Public) 
>          Components: Authentication, security
>    Affects Versions: 9.4, 9.5, 9.6, 9.7, 9.8, 9.9, 9.10, 10.0, 9.10.1
>            Reporter: Jan Høydahl
>            Assignee: Jan Høydahl
>            Priority: Blocker
>             Fix For: 10.1, 9.11
>
>
> h2. The CVE text
> Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth 
> enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a 
> remote attacker to gain full administrative access to the cluster via 
> publicly known default credentials installed silently alongside the 
> user-specified account.
> As an immediate workaround without upgrading, delete the template users 
> (superadmin, admin, search, index) from security.json or change their 
> passwords.
> Not affected:
>  *  Clusters where bin/solr auth enable was not used to bootstrap BasicAuth
>  *  Clusters where template users have been assigned strong passwords after 
> bootstrap
> h2. Mitigation
> If you came here from the link in the CVE, there is nothing more for you to 
> do than what is written above. Delete the template users or change their 
> passwords.
> h2. What code changes this Jira will do
> This Jira issue will add these changes in upcoming 9.11 and 10.1 releases:
>  * Remove the superadmin template user
>  * Do not set passwords for remaining template users, so operator needs to 
> change password
>  * Echo to console after use of {{bin/solr auth enable}} that users are 
> created and their passwords must be set
>  * Document the auth enable command better



--
This message was sent by Atlassian Jira
(v8.20.10#820010)

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to