Logo
-

Byte Open Security

(ByteOS Network)

Log In

Sign Up

ByteOS

Security
Vulnerability Details
Registries
Custom Views
Weaknesses
Attack Patterns
Filters & Tools
NVD Vulnerability Details :
CVE-2026-22022
Analyzed
More InfoOfficial Page
Source-security@apache.org
View Known Exploited Vulnerability (KEV) details
Published At-21 Jan, 2026 | 14:16
Updated At-27 Jan, 2026 | 20:34

Deployments of Apache Solr 5.3.0 through 9.10.0 that rely on Solr's "Rule Based Authorization Plugin" are vulnerable to allowing unauthorized access to certain Solr APIs, due to insufficiently strict input validation in those components.  Only deployments that meet all of the following criteria are impacted by this vulnerability: * Use of Solr's "RuleBasedAuthorizationPlugin" * A RuleBasedAuthorizationPlugin config (see security.json) that specifies multiple "roles" * A RuleBasedAuthorizationPlugin permission list (see security.json) that uses one or more of the following pre-defined permission rules: "config-read", "config-edit", "schema-read", "metrics-read", or "security-read". * A RuleBasedAuthorizationPlugin permission list that doesn't define the "all" pre-defined permission * A networking setup that allows clients to make unfiltered network requests to Solr. (i.e. user-submitted HTTP/HTTPS requests reach Solr as-is, unmodified or restricted by any intervening proxy or gateway) Users can mitigate this vulnerability by ensuring that their RuleBasedAuthorizationPlugin configuration specifies the "all" pre-defined permission and associates the permission with an "admin" or other privileged role.  Users can also upgrade to a Solr version outside of the impacted range, such as the recently released Solr 9.10.1.

CISA Catalog
Date AddedDue DateVulnerability NameRequired Action
N/A
Date Added: N/A
Due Date: N/A
Vulnerability Name: N/A
Required Action: N/A
Metrics
TypeVersionBase scoreBase severityVector
Secondary3.18.2HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
Type: Secondary
Version: 3.1
Base score: 8.2
Base severity: HIGH
Vector:
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:L/A:N
CPE Matches
The Apache Software Foundation
apache
>>solr>>Versions from 5.3.0(inclusive) to 9.10.1(exclusive)
cpe:2.3:a:apache:solr:*:*:*:*:*:*:*:*
Weaknesses
CWE IDTypeSource
CWE-285Secondarysecurity@apache.org
CWE ID: CWE-285
Type: Secondary
Source: security@apache.org
Evaluator Description
Evaluator Impact

Evaluator Solution

Vendor Statements
References
HyperlinkSourceResource
https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbnsecurity@apache.org
Mailing List
Vendor Advisory
http://www.openwall.com/lists/oss-security/2026/01/20/4af854a3a-2127-422b-91ae-364da2661108
Mailing List
Third Party Advisory
Hyperlink: https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn
Source: security@apache.org
Resource:
Mailing List
Vendor Advisory
Hyperlink: http://www.openwall.com/lists/oss-security/2026/01/20/4
Source: af854a3a-2127-422b-91ae-364da2661108
Resource:
Mailing List
Third Party Advisory
Change History
0Changes found
Details not found