Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-44825: Apache Solr versions 9.4.0 to 10.0.0: Default Credentials Allow Unauthorized Access
CVE-2026-44825
Summary
Apache Solr versions 9.4.0 to 10.0.0 contain hardcoded default credentials that can be used by an attacker to gain full administrative access to the cluster. To protect your cluster, delete or change the passwords of the default users (superadmin, admin, search, index) in the security.json file. Upgrading to a future version (9.11.0 or 10.1.0) will also resolve the issue.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Vendor | Product | Affected versions |
|---|---|---|
| apache | solr |
>= 9.4.0, <= 9.10.1 10.0.0 cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:* |
Original title
Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative acce...
Original description
Hardcoded credentials in the Basic Authentication setup tool (bin/solr auth enable) in Apache Solr versions 9.4.0 through 9.10.1 and 10.0.0 allows a remote attacker to gain full administrative access to the cluster via publicly known default credentials installed silently alongside the user-specified account.
As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords.
The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.
Not affected:
* Clusters where bin/solr auth enable was not used to bootstrap BasicAuth
* Clusters where template users have been assigned strong passwords after bootstrap
As an immediate workaround without upgrading, delete the template users (superadmin, admin, search, index) from security.json or change their passwords.
The future, not yet released, versions 9.11.0 and 10.1.0 will not be vulnerable, and it will be enough to upgrade to solve the issue.
Not affected:
* Clusters where bin/solr auth enable was not used to bootstrap BasicAuth
* Clusters where template users have been assigned strong passwords after bootstrap
nvd CVSS3.1
8.1
Vulnerability type
CWE-798
Use of Hard-coded Credentials
CWE-1188
- https://lists.apache.org/thread/5xg6xr99glocp3zsg9ht2zlbwlrst7ch
- http://www.openwall.com/lists/oss-security/2026/05/29/6 Mailing List Third Party Advisory
Published: 1 Jun 2026 · Updated: 1 Jun 2026 · First seen: 1 Jun 2026