Monitor vulnerabilities like this one.
Sign up free to get alerted when software you use is affected.
9.8
CVE-2026-45083: Goobi viewer - Unauthenticated access to Solr data
GHSA-2rgp-f66f-4499
CVE-2026-45083
Summary
An outdated Goobi viewer API endpoint allowed unauthorized access to its entire Solr index. This meant an attacker could read, modify, or delete sensitive data, including protected documents. To fix this, the endpoint has been removed, but in the meantime, you can block it with a reverse proxy or specific configuration settings to prevent unauthorized access.
What to do
No fix is available yet. Check with your software vendor for updates.
Affected software
| Ecosystem | Vendor | Product | Affected versions |
|---|---|---|---|
| maven | goobi | io.goobi.viewer:viewer-core | >= 4.8.0, <= 26.04 |
| maven | – | io.goobi.viewer:viewer-core | >= 4.8.0, <= 26.04 |
Original title
Goobi viewer - Core: Unauthenticated Solr Streaming Expression Proxy
Original description
### Summary
The Goobi viewer REST endpoint `POST /api/v1/index/stream` accepted an arbitrary Solr streaming
expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction.
An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records.
The API endpoint has now been removed.
### Impact
- **Complete Solr index read without authentication.**
All documents indexed by the viewer including those protected by access conditions such as moving walls, licence requirements or IP restrictions - can be read in full.
- **Index data modification.**
`update()` streaming expressions overwrite indexed field values. An attacker can alter metadata, change `ACCESSCONDITION` values, or corrupt document structure.
- **Index data deletion.**
`delete()` streaming expressions permanently remove documents. A single expression can delete the entire collection, requiring a full re-index to recover.
### Patches
The endpoint was removed in 326980f24c
### Workarounds
Until an update can be deployed, the endpoint should be blocked by a reverse proxy or in the tomcat configuration.
For Apache httpd the following block can be used in the vhost configuration:
```
<LocationMatch ^.*api/v[12]/index/stream.*$>
Require all denied
</LocationMatch>
```
Alternatively the following security constraint can be added in tomcat via the relevant web.xml:
```
<security-constraint>
<web-resource-collection>
<web-resource-name>blocked endpoint</web-resource-name>
<url-pattern>/api/v1/index/stream</url-pattern>
<url-pattern>/api/v1/index/stream/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
```
### References
- Fix commit: 326980f24c
- Introducing commit: 6bfb1cbd42
- [Solr Streaming Expressions reference](https://solr.apache.org/guide/solr/latest/query-guide/streaming-expressions.html)
### Contact
If you have any questions or comments about this advisory:
- Email us at [[email protected]](mailto:[email protected])
The Goobi viewer REST endpoint `POST /api/v1/index/stream` accepted an arbitrary Solr streaming
expression from unauthenticated network clients and forwarded it to the backend Solr server without restriction.
An attacker could read the complete Solr index and, in default Solr deployments, also modify or delete indexed records.
The API endpoint has now been removed.
### Impact
- **Complete Solr index read without authentication.**
All documents indexed by the viewer including those protected by access conditions such as moving walls, licence requirements or IP restrictions - can be read in full.
- **Index data modification.**
`update()` streaming expressions overwrite indexed field values. An attacker can alter metadata, change `ACCESSCONDITION` values, or corrupt document structure.
- **Index data deletion.**
`delete()` streaming expressions permanently remove documents. A single expression can delete the entire collection, requiring a full re-index to recover.
### Patches
The endpoint was removed in 326980f24c
### Workarounds
Until an update can be deployed, the endpoint should be blocked by a reverse proxy or in the tomcat configuration.
For Apache httpd the following block can be used in the vhost configuration:
```
<LocationMatch ^.*api/v[12]/index/stream.*$>
Require all denied
</LocationMatch>
```
Alternatively the following security constraint can be added in tomcat via the relevant web.xml:
```
<security-constraint>
<web-resource-collection>
<web-resource-name>blocked endpoint</web-resource-name>
<url-pattern>/api/v1/index/stream</url-pattern>
<url-pattern>/api/v1/index/stream/*</url-pattern>
</web-resource-collection>
<auth-constraint/>
</security-constraint>
```
### References
- Fix commit: 326980f24c
- Introducing commit: 6bfb1cbd42
- [Solr Streaming Expressions reference](https://solr.apache.org/guide/solr/latest/query-guide/streaming-expressions.html)
### Contact
If you have any questions or comments about this advisory:
- Email us at [[email protected]](mailto:[email protected])
ghsa CVSS3.1
9.8
Vulnerability type
CWE-306
Missing Authentication for Critical Function
- https://github.com/intranda/goobi-viewer-core/security/advisories/GHSA-2rgp-f66f...
- https://github.com/intranda/goobi-viewer-core/commit/326980f24ce1e7cfabf658dd5f6...
- https://github.com/advisories/GHSA-2rgp-f66f-4499
- https://github.com/intranda/goobi-viewer-core/releases/tag/v26.04.1
- https://github.com/intranda/goobi-viewer-core/commit/6bfb1cbd4250b0b347e84a80f38...
Published: 13 May 2026 · Updated: 29 May 2026 · First seen: 13 May 2026