ctipilot.ch

Apache Solr 9.4.0-9.10.1/10.0.0 — hardcoded BasicAuth template credentials allow unauthenticated remote admin (CVSS 8.1, BSI WID-SEC-2026-1740); no patch yet, manual workaround

cve · CVE-2026-44825

Coverage timeline
1
first 2026-06-02 → last 2026-06-02
Peak priority
notable
1 notable
Sources cited
5
4 hosts
Sections touched
1
trending-vulnerabilities
Co-occurring entities
0
no co-occurrence
ATT&CK techniques
0
no mapped behavior yet

Story timeline

  1. 2026-06-02CVE-2026-44825 — Apache Solr: unauthenticated admin via hardcoded template credentials, no patch yet
    trending-vulnerabilities

Where this entity is cited

  • trending-vulnerabilities1

Source distribution

  • bleepingcomputer.com2 (40%)
  • cve.threatint.eu1 (20%)
  • disig.sk1 (20%)
  • wid.cert-bund.de1 (20%)

explore in graph

Entries about Apache Solr 9.4.0-9.10.1/10.0.0 — hardcoded BasicAuth template credentials allow unauthenticated remote admin (CVSS 8.1, BSI WID-SEC-2026-1740); no patch yet, manual workaround (1)

2026-06-02 · view entry permalink →

CVE-2026-44825 — Apache Solr: unauthenticated admin via hardcoded template credentials, no patch yet

CVE-2026-44825 (CVSS 8.1, CWE-798/1188) stems from Apache Solr's bin/solr auth enable BasicAuth bootstrap tool, which provisions fixed template accounts (superadmin, admin, search, index) with well-known default credentials in security.json and does not remove or randomise them after setup (BSI CERT-Bund WID-SEC-2026-1740, 2026-06-01 · THREATINT, 2026-06-01). An unauthenticated attacker reaching the Solr REST API (HTTP/8983 by default) can authenticate with those credentials and take full administrative control of the cluster — reading every core/collection, altering configsets, and pivoting to server-side script execution. Affected: 9.4.0–9.10.1 and 10.0.0; fixed builds (9.11.0 / 10.1.0) are not yet released, so the workaround is mandatory now: delete the four template users from security.json or rotate their passwords. Deployments that never ran bin/solr auth enable, or rotated template passwords immediately, are unaffected. Reported by Naveen Sunkavally (Horizon3.ai) via Apache's oss-security list.

CVE Summary Table

CVE Product CVSS EPSS KEV Exploited Patch Source
CVE-2026-8732 WP Maps Pro WordPress plugin ≤ 6.1.0 9.8 n/a No Yes 6.1.1 BleepingComputer
CVE-2026-8931 Disig Web Signer 2.0.3–2.5.3 (eIDAS client) 9.4 n/a No No 2.5.5 Disig
CVE-2026-44825 Apache Solr 9.4.0–9.10.1, 10.0.0 8.1 n/a No No None yet (workaround) BSI CERT-Bund
CVE-2026-41089 Windows Netlogon (all supported Server) 9.8 n/a No Yes May 2026 PT BleepingComputer

CVE-2026-41089 is treated as a §4 update (active exploitation of a previously-covered May Patch Tuesday fix);

vulnerability02 Jun 05:00Zmulti-sourceOpen finding ↗