Home · Briefs · CTI Daily Brief — 2026-06-02
CVE-2026-44825 — Apache Solr: unauthenticated admin via hardcoded template credentials, no patch yet
From CTI Daily Brief — 2026-06-02 · published 2026-06-02
CVE-2026-44825 (CVSS 8.1, CWE-798/1188) stems from Apache Solr's bin/solr auth enable BasicAuth bootstrap tool, which provisions fixed template accounts (superadmin, admin, search, index) with well-known default credentials in security.json and does not remove or randomise them after setup (BSI CERT-Bund WID-SEC-2026-1740, 2026-06-01 · THREATINT, 2026-06-01). An unauthenticated attacker reaching the Solr REST API (HTTP/8983 by default) can authenticate with those credentials and take full administrative control of the cluster — reading every core/collection, altering configsets, and pivoting to server-side script execution. Affected: 9.4.0–9.10.1 and 10.0.0; fixed builds (9.11.0 / 10.1.0) are not yet released, so the workaround is mandatory now: delete the four template users from security.json or rotate their passwords. Deployments that never ran bin/solr auth enable, or rotated template passwords immediately, are unaffected. Reported by Naveen Sunkavally (Horizon3.ai) via Apache's oss-security list.
CVE Summary Table
| CVE | Product | CVSS | EPSS | KEV | Exploited | Patch | Source |
|---|---|---|---|---|---|---|---|
| CVE-2026-8732 | WP Maps Pro WordPress plugin ≤ 6.1.0 | 9.8 | n/a | No | Yes | 6.1.1 | BleepingComputer |
| CVE-2026-8931 | Disig Web Signer 2.0.3–2.5.3 (eIDAS client) | 9.4 | n/a | No | No | 2.5.5 | Disig |
| CVE-2026-44825 | Apache Solr 9.4.0–9.10.1, 10.0.0 | 8.1 | n/a | No | No | None yet (workaround) | BSI CERT-Bund |
| CVE-2026-41089 | Windows Netlogon (all supported Server) | 9.8 | n/a | No | Yes | May 2026 PT | BleepingComputer |
CVE-2026-41089 is treated as a §4 update (active exploitation of a previously-covered May Patch Tuesday fix); see §0 Immediate Action and §4.