CVE-2026-45083 Overview
CVE-2026-45083 is an authentication bypass vulnerability in the Goobi viewer, a web application used to display digitised material in a web browser. The flaw exists in the REST endpoint POST /api/v1/index/stream, which accepts arbitrary Solr streaming expressions from unauthenticated network clients and forwards them to the backend Solr server without restriction. Attackers can read the complete Solr index. In default Solr deployments, attackers can also modify or delete indexed records. The vulnerability affects Goobi viewer versions from 4.8.0 to before 26.04.1 and is tracked under [CWE-306] (Missing Authentication for Critical Function).
Critical Impact
Unauthenticated remote attackers can read, modify, or delete the entire Solr index backing the Goobi viewer instance.
Affected Products
- Goobi viewer (intranda/goobi-viewer-core) versions 4.8.0 through versions prior to 26.04.1
- Goobi viewer deployments using default Solr backend configurations
- Digital library and digitisation platforms built on the affected Goobi viewer releases
Discovery Timeline
- 2026-05-27 - CVE-2026-45083 published to NVD
- 2026-05-27 - Last updated in NVD database
Technical Details for CVE-2026-45083
Vulnerability Analysis
The Goobi viewer exposes a REST endpoint at POST /api/v1/index/stream intended to handle Solr streaming expressions. The endpoint does not enforce authentication and does not validate or restrict the content of the streaming expression before forwarding it to the backend Apache Solr server. As a result, any network client can submit arbitrary Solr streaming expressions that the backend will execute.
Solr streaming expressions are a powerful query and data manipulation language. Read expressions such as search, select, and export allow extraction of the entire index. In Solr deployments configured with default access controls, write-capable expressions such as update and delete are also reachable, enabling record modification or destruction.
Root Cause
The root cause is missing authentication on a critical backend function [CWE-306]. The /api/v1/index/stream endpoint acts as an unauthenticated proxy to Solr without expression filtering, allow-listing, or caller identity checks.
Attack Vector
An unauthenticated attacker with network access to a vulnerable Goobi viewer instance sends an HTTP POST request to /api/v1/index/stream containing a crafted Solr streaming expression. The viewer relays the expression to the Solr backend and returns the response. Confidentiality is impacted through complete index disclosure. Integrity and availability are impacted when the Solr backend permits write operations, allowing deletion or tampering of indexed catalog records.
No verified public exploit code is available. Refer to the GitHub Security Advisory GHSA-2rgp-f66f-4499 for additional technical context.
Detection Methods for CVE-2026-45083
Indicators of Compromise
- HTTP POST requests to /api/v1/index/stream originating from unauthenticated or unexpected source addresses.
- Solr access logs containing streaming expressions such as search(, update(, or delete( initiated by the Goobi viewer service account outside normal application workflows.
- Unexpected reductions in document counts or modification timestamps across Solr collections backing the Goobi viewer.
Detection Strategies
- Monitor web server and reverse-proxy logs for requests to the /api/v1/index/stream path and alert on volume spikes or unauthenticated callers.
- Inspect Solr server logs for streaming expression invocations that do not correlate with legitimate Goobi viewer user activity.
- Compare Solr index document counts and checksums against known baselines to identify unauthorized modification or deletion.
Monitoring Recommendations
- Forward Goobi viewer access logs and Solr query logs to a centralized logging or SIEM platform for correlation and retention.
- Alert on any HTTP request to /api/v1/index/stream from source IPs outside trusted internal networks.
- Track Solr write operations (update, delete, commit) and review whether they map to expected administrative jobs.
How to Mitigate CVE-2026-45083
Immediate Actions Required
- Upgrade Goobi viewer to version 26.04.1 or later, which fixes the unauthenticated streaming endpoint.
- Restrict network access to the Goobi viewer REST API to trusted networks until patching is complete.
- Audit Solr index contents and recent write operations to confirm no unauthorized modification has occurred.
Patch Information
The vulnerability is fixed in Goobi viewer version 26.04.1. The fix is implemented in upstream commits 326980f24ce1e7cfabf658dd5f615934ca68ebbd and 6bfb1cbd4250b0b347e84a80f38e8bf46acac705. Administrators should review the GitHub Security Advisory GHSA-2rgp-f66f-4499 before upgrading.
Workarounds
- Block external access to /api/v1/index/stream at the reverse proxy or web application firewall until the upgrade is applied.
- Bind the backend Solr server to localhost or a private network segment so it is not reachable from untrusted clients.
- Configure Solr authentication and authorization plugins to disallow write operations from the Goobi viewer service account where streaming write expressions are not required.
# Example nginx rule to block the vulnerable endpoint until patched
location = /api/v1/index/stream {
return 403;
}
Disclaimer: This content was generated using AI. While we strive for accuracy, please verify critical information with official sources.
