Emerging Threat: (CVE-2026-44825) Apache Solr Administrative Takeover via Hardcoded Credentials

What is CVE-2026-44825?

CVE-2026-44825 is a hardcoded credentials vulnerability in Apache Solr's Basic Authentication setup tool, bin/solr auth enable, that can silently install undocumented template accounts with publicly known default credentials, giving a remote attacker full administrative access to the SolrCloud cluster. The vulnerability carries a CVSS v3.1 base score of 8.1 (High).

Exploitation requires no prior authentication. When an administrator uses bin/solr auth enable to configure BasicAuth, the tool writes a security.json file that may include additional template user accounts, including accounts named superadmin, admin, search, and index, each configured with a password that matches the username. Because the credentials are identical to documented defaults, any attacker aware of the issue can attempt authentication with no additional reconnaissance.

The practical impact is full administrative control of the cluster. An attacker who authenticates as superadmin can read, modify, or delete any index, alter cluster configuration, and pivot to any system the Solr cluster is authorized to reach.

What assets are affected by CVE-2026-44825?

Apache Solr versions 9.4.0 through 9.10.1 and version 10.0.0 are affected. The vulnerability is specific to SolrCloud deployments where administrators have enabled Basic Authentication using bin/solr auth enable. Deployments that configured BasicAuth through other means, or that never enabled BasicAuth at all, are not affected by this specific issue.

Apache Solr powers enterprise search, e-commerce product catalogs, log analytics pipelines, and document management platforms across a wide range of industries. SolrCloud clusters are commonly internet-facing or reachable from cloud environments, and administrative interfaces are often left accessible beyond the intended perimeter during initial setup or after infrastructure changes.

The silent installation of template accounts compounds the risk: administrators who verify their own account credentials after setup have no obvious reason to check for additional accounts they did not create. The template users may persist for extended periods without detection.

What does our data show about exposure patterns?

Using the CyCognito platform, we identified externally reachable Apache Solr assets that may be exposed to this issue across a range of industries. Because no asset file was provided for this advisory, per-sector percentages are not available for this post.

The nature of Apache Solr deployments, widely adopted across data-heavy industries including retail, media, financial services, and enterprise IT, suggests that exposure is broadly distributed rather than concentrated in a single sector. Organizations running Solr as part of search or analytics infrastructure often inherit the software through platform bundles or third-party applications, which can delay visibility into version currency and authentication state.

Cross-sector deployments of this kind also tend to accumulate transitional infrastructure: Solr clusters stood up for a specific application and never decommissioned, or upgraded to a new version in production while older instances remain accessible in staging or development environments.

Are fixes available?

Patches are available. Apache has released Solr 9.11.0 and 10.1.0 to address CVE-2026-44825. Organizations running any version from 9.4.0 through 9.10.1, or version 10.0.0, should upgrade to the respective fixed release.

For deployments where an immediate upgrade is not possible, Apache recommends deleting the template accounts created by bin/solr auth enable. The accounts to audit and remove are superadmin, admin, search, and index. These accounts are defined in security.json and can be removed or have their credentials rotated through the Solr Security API.

Defenders should verify directly with Apache's security advisory and their deployment's security.json contents rather than assuming a prior authentication review was comprehensive. The absence of self-created accounts with weak credentials does not rule out the presence of silently installed template accounts.

Are there any other recommended actions to take?

Until patching is confirmed, defenders should:

• Audit security.json on all SolrCloud nodes for undocumented template accounts
• Remove or rotate credentials for superadmin, admin, search, and index if present
• Restrict network access to the Solr admin interface at the firewall or WAF layer
• Monitor Solr authentication logs for logins using default credential patterns
• Inventory all Solr deployments, including staging and development instances, to identify versions in the affected range
• Verify that BasicAuth-enabled clusters were not configured using bin/solr auth enable on any affected version

How can CyCognito help your organization?

CyCognito published an Emerging Threat Advisory for CVE-2026-44825 in the CyCognito platform and is actively researching enhanced detection capabilities for this vulnerability.

To learn how CyCognito can help your organization reduce external exposure and manage emerging threats more effectively, contact us to request a demo.