CVE-2026-22022

CVE-2026-22022 is a vulnerability in Apache Solr versions 5.3.0 through 9.10.0 that affects deployments relying on the Rule Based Authorization Plugin due to insufficiently strict input validation. This flaw enables unauthorized access to certain Solr APIs, but only impacts configurations meeting all of the following criteria: use of the RuleBasedAuthorizationPlugin; a security.json configuration specifying multiple roles; permission lists that include one or more of the pre-defined rules "config-read", "config-edit", "schema-read", "metrics-read", or "security-read" without defining the "all" pre-defined permission; and a networking setup allowing unfiltered client requests to Solr.

Attackers can exploit this vulnerability remotely over the network with no authentication required (AV:N/AC:L/PR:N), provided the networking allows direct HTTP/HTTPS access to Solr without proxy or gateway restrictions. Successful exploitation grants unauthorized access to sensitive APIs, resulting in high confidentiality impact (such as reading configurations or metrics) and low integrity impact, as reflected in the CVSS v3.1 base score of 8.2 (C:H/I:L/A:N). The issue stems from CWE-285 (Improper Authorization).

Apache advisories recommend mitigating by updating the RuleBasedAuthorizationPlugin configuration in security.json to specify the "all" pre-defined permission and associate it with an "admin" or other privileged role. Alternatively, users should upgrade to Solr 9.10.1 or later versions outside the affected range. Details are available in the Apache announcement at https://lists.apache.org/thread/d59hqbgo7p62myq7mgfpz7or8n1j7wbn and the OSS-Security mailing list at http://www.openwall.com/lists/oss-security/2026/01/20/4.