CVE-2026-22022 Overview
CVE-2026-22022 is an authorization bypass vulnerability affecting Apache Solr deployments that use the Rule Based Authorization Plugin. The vulnerability stems from insufficiently strict input validation, allowing unauthorized access to certain Solr APIs. This affects Apache Solr versions 5.3.0 through 9.10.0 when specific configuration conditions are met.
Critical Impact
Attackers can bypass authorization controls to access protected Solr APIs, potentially exposing sensitive configuration data, schema information, and security settings without proper authentication.
Affected Products
- Apache Solr versions 5.3.0 through 9.10.0
- Deployments using RuleBasedAuthorizationPlugin with multiple roles configured
- Configurations using pre-defined permissions without the "all" permission defined
Discovery Timeline
- January 21, 2026 - CVE CVE-2026-22022 published to NVD
- January 21, 2026 - Last updated in NVD database
Technical Details for CVE-2026-22022
Vulnerability Analysis
This authorization bypass vulnerability (CWE-285: Improper Authorization) allows attackers to circumvent access controls in Apache Solr's Rule Based Authorization Plugin. The vulnerability is exploitable via network access without requiring authentication or user interaction.
The flaw specifically impacts deployments that meet all of the following criteria:
- Use of Solr's RuleBasedAuthorizationPlugin
- A configuration in security.json that specifies multiple roles
- Permission lists using pre-defined permission rules such as config-read, config-edit, schema-read, metrics-read, or security-read
- Permission lists that do not define the all pre-defined permission
- A networking setup that allows unfiltered client requests to reach Solr directly
When these conditions are met, attackers can craft requests that bypass the intended authorization checks, gaining access to protected API endpoints.
Root Cause
The vulnerability originates from insufficiently strict input validation within the RuleBasedAuthorizationPlugin components. The authorization plugin fails to properly validate and restrict access when certain pre-defined permissions are configured without a catch-all permission rule. This allows request patterns that should be denied to slip through the authorization checks.
Attack Vector
The attack is network-based and requires no authentication or user interaction. Attackers can exploit this vulnerability by sending specially crafted HTTP/HTTPS requests directly to vulnerable Solr instances. The attack targets the authorization decision logic in the RuleBasedAuthorizationPlugin, exploiting gaps in how permissions are evaluated when the all permission is not defined.
The vulnerability allows unauthorized access to sensitive API endpoints including:
- Configuration read/write operations (config-read, config-edit)
- Schema information (schema-read)
- Metrics data (metrics-read)
- Security configuration (security-read)
Detection Methods for CVE-2026-22022
Indicators of Compromise
- Unexpected API requests to Solr endpoints from unauthorized sources
- Access logs showing requests to /solr/admin/config, /solr/admin/schema, /solr/admin/metrics, or /solr/admin/security from unusual IP addresses
- Unauthorized configuration changes in Solr clusters
- Anomalous query patterns targeting administrative endpoints
Detection Strategies
- Monitor Solr access logs for requests to administrative API endpoints from non-administrative sources
- Implement network-level monitoring for traffic patterns targeting Solr instances on ports 8983 (HTTP) or 8984 (HTTPS)
- Review security.json configurations to identify vulnerable permission setups lacking the all permission
- Deploy intrusion detection rules to flag suspicious request patterns to Solr admin APIs
Monitoring Recommendations
- Enable comprehensive access logging for all Solr API endpoints
- Configure alerting for failed and successful authorization attempts to sensitive endpoints
- Implement network segmentation monitoring to detect direct client access to Solr instances
- Regularly audit RuleBasedAuthorizationPlugin configurations across all Solr deployments
How to Mitigate CVE-2026-22022
Immediate Actions Required
- Review all Solr deployments using RuleBasedAuthorizationPlugin for vulnerable configurations
- Add the all pre-defined permission to security.json and associate it with an admin or privileged role
- Implement network-level filtering to prevent unfiltered client requests from reaching Solr directly
- Upgrade to Apache Solr 9.10.1 or later, which addresses this vulnerability
Patch Information
Apache has released Solr version 9.10.1 which resolves this vulnerability. Organizations should upgrade to this version or later to fully remediate the issue. For detailed information, refer to the Apache Security Mailing List Thread and the Openwall OSS-Security Discussion.
Workarounds
- Configure the all pre-defined permission in your RuleBasedAuthorizationPlugin and assign it to an admin role
- Deploy a reverse proxy or API gateway in front of Solr to filter and validate incoming requests
- Implement network segmentation to ensure Solr instances are not directly accessible from untrusted networks
- Restrict access to Solr administrative endpoints using firewall rules
# Example security.json configuration to mitigate the vulnerability
# Add the "all" permission and associate it with the admin role
# Update your security.json to include:
# "permissions": [
# {"name": "all", "role": "admin"},
# ... other permissions ...
# ]
# Restart Solr after modifying security.json for changes to take effect
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
